A New Year Cybersecurity Two-Fer: Meltdown and Spectre

The new year has started with a major cybersecurity two-fer. First on the hit parade is the Meltdown flaw, which affects almost any device that contains an Intel CPU made since 1995. Let’s put it this way: if you own anything resembling a modern device, chances are that you’re affected. A well-publicized proof of concept hack for this flaw exists. This means that all of the basic hacker toolkits (e.g., Metasploit) will quickly be updated to take advantage of this flaw in real time, once more practical exploits are found.

The second flaw is known as Spectre. It’s a more difficult flaw to exploit, but it affects all modern CPUs – not just those made by Intel. Intel, AMD and ARM-based devices are all vulnerable to attacks that can reveal sensitive information, such as passwords and information that should remain encrypted.

Plus, we sort of have an Equifax-like response going on, here: security professionals working for Google and independent organizations informed major tech companies (e.g., Apple, Microsoft and Google), about these issues in the summer of 2017. That’s why some companies already have fixes available. But the public wasn’t informed until just days ago.

Meltdown

Let’s set the time machine back to 1995. Yes, 1995: the year that gave the world Windows 95, the first eBay auction and the movie "Toy Story." It saw the birth of my son Jacob, and the death of the Grateful Dead’s Jerry Garcia. It’s also the year that Intel’s CPU developers created CPU blueprints that misused a key feature of modern computing called “speculative execution.” The result is Meltdown, one of the largest, most far-reaching CPU bugs ever discovered. Yes, that’s right: we’ve all been using hackable hardware since the days of (Bill) Clinton, Tony Blair and Boris Yeltsin. Forget “fake news,” man. Putin’s got nothing on Meltdown! With Meltdown, it’s possible to create conditions that can allow a hacker to read real, accurate and sensitive data such as passwords and information that is normally encrypted.

How Does Meltdown Work, and Why Is This Such a Big Deal?

Normally, a device’s CPU is designed to create walls, or barriers, between user applications and the operating system kernel. The Meltdown flaw creates conditions where an attacker can remove those barriers. In speculative execution, a CPU takes a guess concerning the next command or processor path that an application will use. If the CPU is right, then your application launches faster and better. If the CPU guesses wrong, it’s no biggie (at least in theory), because the CPU simply rolls back the execution, and moves on.

But with Meltdown, a hacker can install a malicious application to trick the workings of speculative execution in all modern PCs to expose protected areas of the operating system kernel. The memory stored in this area of the kernel contains vital, sensitive information, including passwords and encrypted information.

Spectre

The Spectre flaw also exploits speculative execution and exists in the CPUs supplied by all of the major chip manufacturers. It, therefore, impacts all modern CPUs. The impact of this particular flaw is on PC and server-based systems. It’s an especially significant problem for cloud-based providers. Why? Because Spectre raises the . . . spectre . . . that hackers can exploit memory flaws in virtualized systems.

In a virtualized environment, you have a host system that houses several “guest” operating systems. These “guest” operating systems are generally thought to be isolated from one another using various boundary checks and isolation routines that run in the operating system kernel. A Spectre-based exploit of the Spectre flaw can make it possible for a guest operating system to read information about the host system, or even for one guest system to read the memory of another guest system, similar to the Meltdown attack.

With the Spectre flaw, it’s possible for an attacker to use malicious software that can trick a properly updated application into revealing sensitive information. Think of all the cloud-based systems that support your favorite services, such as Netflix, Google Drive or the virtualized systems that your bank uses. All of those virtualized systems are at risk, because it’s possible – though relatively difficult – for a hacker to exploit the boundaries that really don’t work the way they are supposed to work at the CPU level.

The good news about Spectre is that it’s more difficult to exploit than Meltdown. The bad news, however, is that Spectre flaw is much more difficult to fix. CPUs need to use speculative execution to function properly. You can’t simply deactivate it. You can’t simply resolve the problem with firmware updates, either.

Resolving the Problems

At this time, the solution for both problems is to overlay a software fix that makes it more difficult (I won’t use the word “impossible”) for attackers to turn the Meltdown and Spectre flaws into exploits. Coders are currently working on software solutions now. For Meltdown, software fixes will resolve the problem, for the most part. The updates will help create buffers around key memory areas. Firmware updates will also be necessary for tablets and mobile phones and similar devices; all of the major smart device manufacturers are scrambling to create updates.

When it comes to Spectre, the problem is not as easily resolved. The only true fix is to completely re-design (and replace) all modern CPUs. That’s, well, just not possible. So, a software update will have to work in the interim. This software update will create the barriers and buffers that should have been properly designed. The problem is that this software layer will eventually require updates. Keeping software updated has been a chronic problem in the industry, as we saw with the Equifax hack. Still, workarounds are on the way. It’s possible that these updates may have a performance impact on your device. But generally, you won’t notice it.

The upshot? Update your systems, computers, tablets and phones. Windows 10 has been updated already, and Windows 7 and 8 users should have it already. Rollouts exist for Apple devices. Attackers exploiting Meltdown will go after Web browsers. Update your browsers early and often. Windows users should, of course, update their antivirus applications.

“If you’re taking care of the boring old basics, this can be a virtual non-issue,” said Lysa Myers, security researcher at ESET and member of the CompTIA IT Security Community. “I know it’s way more fun to shop for gadgets with magical, blinking lights than it is to do janitorial tasks like risk assessment, timely updates and regular, tested backups, but diligently performing routine maintenance tasks is a whole lot more effective, and usually a heck of a lot cheaper in both the short and long-term.”

Why Did This Happen, and Why on Such a Huge Scale?

While some experts will call this a non-issue, it is certainly a teachable moment, and by no means a fire drill. The tech industry needs to work on creating secure development lifecycle rubrics that each company customizes and faithfully executes. We’re lucky to have innovative companies creating really cool devices and software for us. The problem is, the pressures of bringing hardware and software to market in a timely manner means that it’s not always possible to follow secure development rubrics.

Plus, chip manufacturers and software developers alike love to reuse blueprints, technologies and code. Why reinvent the wheel, right? But when you re-use anything, you end up re-using both the good and bad things inside of that blueprint, code or technology.

It seems that some of the blueprints used for the CPUs just didn’t consider the possibility of the types of sophisticated attacks that now exist. For example, I gave a presentation at London’s Cloud Security Expo, where I detailed issues about side-channel exploitation and virtual machines. I’m not an expert at CPU design, so I, of course, didn’t know anything about Spectre; but I’ve noted for a couple of years now how fellow techies in the cloud space have been worried about side-channel attacks in virtual machines. It just could be that Spectre – and especially Meltdown – can make large-scale attacks even more likely than before.

Moving forward, it’s high time that we see the industry gather together and adopt standards that help keep issues such as this from happening. I’m not talking about government regulation. But I am saying that with the stakes being so high, it’s time for companies to work together to create – and follow – more stringent development standards.