Meltdown & Spectre

Author by Mitchell Grande

The big news in the past week is two new vulnerabilities that affect nearly all computers - Meltdown and Spectre.  Here we'll cover what they are, how they work, and how to protect against them.  Since these are complicated exploits, this email will not go into great technical depth.
 
Meltdown and Spectre - what are they
Meltdown and Spectre are new vulnerabilities disclosed by security researchers last week.  They actually comprise three different variants of exploits.
  1. Spectre Variant 1 (CVE-2017-5753) - Affects both AMD and Intel processors
  2. Spectre Variant 2 (CVE-2017-5715) - Affects both AMD and Intel processors
  3. Meltdown (CVE-2017-5754) - Affects only Intel processors
 
Meltdown is the most serious of the bunch as it's easier to exploit, but all three variants allow an unauthorized program to extract private memory from the targeted computer.  This could manifest in many different ways.  For example, code running on a shared private server (a VPS) could read the data of other users' processes on the same server, or a webpage with malicious code could access private memory containing cached passwords on the client.
 
None of the variants are currently detectable by antivirus or antimalware applications.  They may be detectable in the future when these exploits become used in the wild.  However, that will be unreliable as applications exploiting the vulnerabilities look very similar to typical, benign applications.
 
How do they work
The vulnerabilities exploit the fact that CPUs can execute instructions before they're actually needed to help boost performance.  If instructions are executed and then not needed, the results are thrown out and not sent back to process.  However, those unneeded results can be cached for a short period of time before being discarded.  Normally this isn't an issue, but a malicious process can use advanced timing techniques to determine what data is stored in that cache.  The end result is that a regular user-level process can determine what's inside memory that it shouldn't have access to, including kernel memory or the memory of other processes.
 
How to protect against them
To fully protect against these exploits, both an operating system patch and a CPU firmware update are required.  For Windows, Microsoft has released a detailed guide that covers how to protect Windows desktops, servers, and SQL servers.  For Linux, a kernel patch named KAISER has been developed and is being released for various distributions.
 
More specifically, the following steps are required to protect a Windows device:
  • Create a registry key that enables the device to receive the relevant Windows update
    • This is required due to issues with some Antivirus programs and this patch.  Most AV software will set this registry key automatically, but it can be set manually if needed.
  • Apply the correct operating system update and reboot
  • Configure additional registry keys that actually enable the protection of the patch
  • Reboot again for the additional keys to take effect
  • Apply the firmware update if available
  • Run the Microsoft provided PowerShell script to ensure all protections are active
 
Additional information
Author

Mitchell Grande

Systems Engineer

Tags in this Article