By Nirosh Jayaratnam
The newly discovered vulnerabilities in modern computers leak passwords and extremely sensitive data. The entire computer industry is moving as quickly as possible to patch against these critical security flaws.
What is Meltdown and Spectre?
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, cryptographic keys, your personal photos, emails, instant messages and even business-critical documents. Both attacks abuse 'speculative execution' to access privileged memory, including those allocated for the kernel, from a low privileged user process like a malicious app running on a device.
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
Some, including US-CERT, have suggested the only true patch for these issues is for chips to be replaced, but this solution seems to be impractical for the general user and most companies.
Vendors have made significant progress in rolling out fixes and firmware updates. The Meltdown flaw has already been patched by most companies like Microsoft, Apple and Google. Spectre involves two known attack strategies so far and patches are not available for all OS.
List of available patches:
- Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002
- Amazon Security Advisory: https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
- Red Hat Linux: https://access.redhat.com/security/vulnerabilities/speculativeexecution
- Linux kernel: https://www.kernel.org/
- Apple macOS, iOS, tvOS, and Safari Browser: https://support.apple.com/en-us/HT208394
- Android OS: https://source.android.com/security/bulletin/2018-01-01
- VMWare: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
- ARM: https://developer.arm.com/support/security-update
- Firefox Web Browser: https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
- Google Chrome Web Browser: Scheduled the patches on January 23 with the release of Chrome 64. In the meantime, users can enable an experimental feature called “Strict Site Isolation" (chrome://flags/#enable-site-per-process) that can offer some protection against the web-based exploits but might also cause performance problems.
Please note that these patches may cause performance slowdowns based on your hardware, operating system, and workloads. But security trumps performance. It is recommended that you make the patches since a successful attack would give you your worst nightmare ever. If it causes a huge performance lag in the system, you can uninstall the patch and revert the system back to its original state by accepting the potential security risk.
Boligmappa has already taken appropriate security measures against newly discovered deadly vulnerabilities Meltdown and Spectre to protect Boligmappa systems. A Performance analysis was done after the patches were applied in order to identify performance slowdowns.