- 2 major bugs affecting almost every processor in devices (computers, phones, etc.) made in the last 20 years discovered.
- Exploiting the bugs could result in exposure of passwords and other sensitive data to bad guys.
- MANUAL user intervention required before necessary patches can be applied to computers.
- Applying patches to remedy problem will have a performance impact on computers and devices.
- Hardware and software vendors still working on optimum solutions.
In case you missed it, 2018 started off with a bang in the IT Security world with an announcement of 2 major vulnerabilities named Meltdown and Spectre. Never a dull moment in this space 😊.
Now I feel I should back up for a second and define some basic terminology which will help you understand the rest of this article. The 2 keywords for today are:
a) Vulnerability aka bug.
a flaw in a system that can leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat.
An exploit is a general term for any method used by hackers to gain unauthorized access to computers, the act itself of a hacking attack, or a hole in a system’s security that opens a system to an attack.
An exploit takes advantage of a vulnerability. Now that we have gotten that out of the way we can move forward.
The vulnerability explained
The bugs discovered (Meltdown and Spectre) take advantage of a design feature in modern CPUs called Speculative Execution. Speculative Execution helps CPUs run faster by going ahead of a program and speculatively executing instructions which are further down the line. By the time program execution catches up to that code, the computed result is already waiting to be used resulting in performance improvements.
Without getting too technical, researchers found a way of “tricking” this feature into exposing data such as passwords and other files not directly linked to the program being executed.
Who is affected
Most CPUs released since 1995 from manufacturers such as Intel, AMD and ARM are affected. The scope of devices ranges from desktop computers to mobile devices across all platforms (Apple, Microsoft, Android etc.).
– Allows programs to access way more information than they are normally allowed to. “Melting down” normal security barriers.
– Involves the operating system
Software vendors have released patches to address this. At the time of testing Microsoft discovered that some antivirus software would conflict with the patch resulting in system failures. As such the Microsoft patch requires that the antivirus on the computer be certified to be compatible with this fix before the fix can be installed on any computer. Antivirus vendors in turn have responded by releasing updates to their software. Not all anti-virus applications are compatible however and the onus will be on the users to check with their vendors.
– Harder to exploit and harder to remedy as an update to the actual CPU is required.
Long term CPU manufacturers will redesign the processor to plug this hole. In the meantime, they have started releasing firmware updates to close this vulnerability. The process of applying a firmware update to a CPU is a very delicate one and reports of several problems brought about by the updates are surfacing. It is also rumoured that Intel are quietly telling their customers to hold off on applying these updates as they don’t seem to be 100% ready.
Side effects of applying the patches
Because the patches alter the CPUs ability to pre-emptively execute code ahead of time, there are performance penalties to pay. Estimates are that performance will be impacted between 10% – 30% depending on system configuration and workloads. Microsoft have also stated that Windows 7 and 8 are generally going to see a higher performance impact than Windows 10.
What is required of you?
– Check that your antivirus software is compatible with the required patch. If your Anti-Virus is not compatible you will NOT get patch and your system will remain vulnerable. And if you do not have anti-virus software you are playing with fire.
– Download and apply the required operating system patch. If you have enabled automatic windows updates for your system this process should occur automatically.
– Make a decision whether you will apply the CPU patch for Spectre once its ready and fully tested. This is one of those cases where you will need to strike a balance between performance and the need for security.
The IT Security world is a game of cat and mouse. New bugs will continue to be discovered and vendors will continue to scramble to plug the holes. What shouldn’t change however is your approach to IT Security.
We recommend you employ Security best practices:
1) Ensure you have up to date Anti-Virus software on your computer
2) Exercise caution when handling email attachments and browsing the web. If you didn’t request a password reset DO NOT click on that password reset link in that email and NO that’s not an email from Australia Post or The Police.
3) Ensure your system is always up to date with the latest updates.
Once again issues like this really make a strong case for acquiring Managed IT Services. With Managed IT Services the day to day management of your systems is taken off your hands giving you peace of mind and leaving you to concentrate on your business.