A Different Type of Threat?
Many high profile security flaws follow the same pattern. They hit the news, make a stir, get a patch and end up wrapping tomorrows chips once everyone has checked they are no longer vulnerable.
The recent flaws found so far in the hardware and silicon underpinning our modern lives (dubbed Meltdown and Spectre) are showing us that these are different beasts entirely, and that they caught the IT industry asleep at the wheel.
With the ‘average’ CPU now having transistor numbers in the billions, it was inevitably only a matter of time before a hardware flaw was discovered in these monstrously complicated feats of engineering. Intel has certainly taken the brunt for the first wave of these discovered vulnerabilities, but it’s still far from over yet. There even may be more variants on the horizon (Two new possible candidates have been dubbed MeltdownPrime and SpectrePrime). These vulnerabilities are feeding a whole new arm of information security, and there are no doubt many who are now fuzzing these devices in much more detail with interest.
High Level Stuff!
Now there are many articles out there outlining the intricate technical detail behind these flaws, but in case they left you confused, let’s stick to the high level stuff here:
- These are essentially all CPU speculative execution side channel attacks that allow your data to become readable when it shouldn’t (most modern processors make use of speculative execution to speed things up). These vulnerabilities so far discovered are either between processes (Spectre variants), or in the case of Intel across the entire physical system (Meltdown).
- There is no ‘real fix’ for these issues as the fault is already burned into the CPU silicon. The workarounds so far are essentially OS patches that emulate a fix in software. New compilers and the extra instructions to do things like flushing buffers between certain operations to make the system safe are the cause of some slowdown that is seen as a result.
- These vulnerabilities affect most of the last 20 years of Intel/AMD processors, but only recent ones will likely end up getting fully patched. Some mobile (ARM) CPUs have shown vulnerabilities to these too. Vulnerable CPUs are also found in other equipment that you might not expect, such as networking gear.
- This is now a further security consideration for organisations that have only just gotten comfortable with putting their sensitive data in the public cloud.
Now normally the advice here is usually the same. Patch and update all your systems, yada yada yada. True to an extent, but if you want to be sure you have the best coverage here? It is well worth doing some checks yourself. Why, you ask?... Well now it gets a bit more complicated.
For a start, your OS must have support to mitigate these vulnerabilities, so if you are using anything exotic, you’ll have to check with your software vendor. Also most implementations require a microcode update for your CPU (via a BIOS/firmware upgrade). Hopefully your manufacturer is still in business and is still supporting your platform at this point. The microcode updates were deemed necessary to mitigate some of the performance penalties that would otherwise be encountered without the new instructions it offered. Finally its likely Intel won’t patch pre-Haswell CPUs.
Windows being Windows...
Next, extra complexities for Windows. This handy to remember string:
is the special key that must be present in the registry before windows will trust that your AV solution won’t leave your system unbootable, and must be present before Windows will apply the updates required. Now, I get that Microsoft had to deal with stuff that fell out during testing, but due to the cumulative nature of windows updates now, it also means that you could be in a situation where you get no updates at all until this is resolved. I’ve seen custom installs of valid AV products fall foul of this and fail to add the safety word in the registry, leaving users in the worst of situations: Showing no available windows updates and at the same time showing that there are no problems with your system (i.e. No errors in Windows Update.)
Well what about my virtual machines? The same applies. You will need to patch both the hypervisor and the guest in these cases, basically because modern hardware assisted virualisation means that code get executed close to natively, and the hypervisor cannot protect the guest from these side channel attacks.
How do I test I am protected?
And how do I test that I’m protected you ask? Well, the larger players here have not really come up with easy accessible ways for most users to confirm if their system is properly patched and configured, so you will have to dig a little or rely on less official tools for this. One’s we have found to be helpful are:
- Windows Powershell Module: Speculation-Control
- Linux Shell Script: GitHub Spectre Meltdown Checker
- Windows Application: GRC Inspectre
What about my super cool XP machine?
So after all this what do you do with any older computers and equipment? Throw them all out? Jump immediately to the next latest and greatest CPUs for your workstations and servers? ...
Well that may not be a fix either, as there’s always the chance that future CPUs, may still exhibit some other flaws down the line. You will have to make a risk based decision for unsupported systems. As always, the better, longer standing piece of advice here always is that a false sense of security is often worse than no security at all. Go forth and check that you are not wide open as the code to exploit this becomes more and more available to hackers.