Meltdown and Spectre Make sure your data is safe.
Update | 02/08/2018
Intel began field testing new firmware to address the Spectre vulnerability for its Skylake processors. According to the chip manufacturer, this firmware should resolve the initial reboot and instability issues experienced by the first round of patches released in January. Intel said it will also release updated firmware for the older Haswell and Broadwell architecture processors imminently | Details
Meltdown and Spectre are names given to CPU design flaws that have existed for at least 10 years. Meltdown affects all modern Intel chips, Apple’s A series, and certain ARM/Qualcomm chips. Spectre affects Intel, ARM, AMD, and Qualcomm CPU chips found in desktop computers, laptops, tablets, smartphones, servers, virtual servers, routers, and switches. Though it affects more devices than Meltdown, Spectre is much harder to exploit. (Details – 1A)
- These vulnerabilities must be exploited to be a problem; if your equipment has not been infected by exploiting malware, there is no issue at the moment.
- If exploited, sensitive data can be exposed and stolen.
- No known exploits have been identified YET, but malicious development for Meltdown is known to be in the works. (Details – 1B)
What you need to do
- Verify that the antivirus solution on your Windows computers is compatible with the Microsoft Meltdown security patches released on January 3. Check this link and look for your antivirus solution. (Details – 2A)
- Make sure that your OS and browser patches are up to date. Microsoft, Apple, Google, Mozilla, and most Linux distros released OS and browser patches starting on January 3. Note: if your AV solution is not Microsoft compatible, the patches will not deploy. (Details – 2B)
- Be prepared: Microsoft Meltdown patches will likely affect system performance. (Details – 2C)
- Spectre is also addressed with BIOS updates from your hardware vendor. See the “More Info” section of this page for links to specific vendor sites for availability as patches are not yet released for all hardware. (Details - 2D)
- Exercise EXTREME CAUTION with unfamiliar email and websites, including notices of updates/patches that you receive via email. There are reports of malware being spread as social engineering attacks in the form of supposed Meltdown and Spectre patches. If you receive an email advertising security patches or updates for these vulnerabilities, be suspicious, even if the link points to a site beginning with “https:.” You may want to consider deploying End-User Security Awareness Training. (Details – 2E)
How Synergy can help
Managed Services Customers: what’s covered and what’s not (Details – 3A)
- Your antivirus solution has already been verified to be compatible with Microsoft patches.
- Microsoft Windows security patches have been applied to covered servers/workstations.
- BIOS updates to address these vulnerabilities are not automatically applied under your current contract.
- You should monitor hardware vendor sites for Spectre BIOS update availability (see the link in the “More Info” section).
Non-Managed Services Customers (Details)
- Follow “What You Need To Do” steps.
- Monitor hardware vendor sites for Spectre BIOS update availability (see link in “More Info” section).
- Synergy can assist you with anything pertaining to Meltdown or Spectre, from an assessment of your efforts with patching and BIOS updates, to evaluating your current environment to determine best practices and compliance. For more information, contact our professional services team. (mailto:firstname.lastname@example.org)
All customers: with social engineering being the leading cause of malware infection, we invite you to get more info on Synergy’s new End-User Security Awareness Training. (Details – 2E)
More Info and Informative Links
Technical explanations for Meltdown and Spectre
Comprehensive article on the vulnerabilities, including current patch info.
Original Research (pdf)
Microsoft article on antivirus solution compatibility
Microsoft article on AMD processor issues
Public list of antivirus solution compatibility with Windows security patches
Lenovo BIOS Update Information
Homeland Security article with links to vendor-specific info
Latest Updates and News on Meltdown and Spectre:
Intel began field testing new firmware to address the Spectre vulnerability for its Skylake processors. According to the chip manufacturer, this firmware should resolve the initial reboot and instability issues experienced by the first round of patches released in January. Intel said it will also release updated firmware for the older Haswell and Broadwell architecture processors imminently.
Intel and AMD are both working on redesigns for their processors to mitigate the threats posed by the Meltdown and Spectre vulnerabilities. The extent to which the manufacturers will be able to eliminate these vulnerabilities is unclear, however, as Spectre especially exploits a fundamental feature of modern CPUs (speculative execution).
AMD announces first Spectre-resistant chips could be seen as early as 2019.
In an earnings call yesterday (1/31/18), AMD CEO Lisa Su said that starting with the release of its Zen 2 PC and server chips, expected around 2019, AMD would make changes to mitigate attacks exploiting Spectre-related flaws in its CPUs.
AMD processors are not susceptible to Meltdown, only Intel, Apple, and certain ARM Cortex series processors are susceptible to the Meltdown vulnerability. All processors, however, are susceptible to both variants of Spectre. AMD patches for both Spectre variants are being released and continue to perform with performance slowdowns but without the crashes, reboots and instability issues seen by Intel patches.
Intel Meltdown and Spectre updates continue to be plagued by instability issues and have been pulled from general release.
Microsoft has released a PowerShell script network admins can run to help identify which of their devices has been updated and what the current level of protection/mitigation is on devices. This article is a good reference on Microsoft’s current stance with regard to Meltdown and Spectre mitigation.
Barkly recently released polling info from mid-January indicating 26% of organizations polled have no Windows devices with the Meltdown and Spectre patches. 80% of network admins polled said the update process has been unclear and they still have lingering questions.
[Back to Top]
Fixes for Spectre variant 2 (CVE-2017-5715, Branch Target Injection) generally require a firmware update, sometimes also requiring an OS kernel update. These updates will come through your hardware vendors (HP/Dell/Lenovo/IBM, etc), however in a major recent setback, Intel told these computer manufacturers to temporarily stop rolling out the firmware fix for Spectre variant 2 after reports of unexpected reboots on applied systems. This could explain why you may not see links to these fixes on your vendor’s site where they were available previously. No word from other chip vendors on their Spectre variant 2 fixes being recalled.
Operating system vendors have been releasing patches for the Meltdown vulnerability (CVE-2017-5754, Rogue Data Cache Load) and the Spectre variant 1 vulnerability (CVE-2017-5753, Bounds Check Bypass). Initial reports of problems with Microsoft patches and AMD Opteron, Athlon and Turion X2 Ultra processors have been resolved.
The nature of the Spectre variant 2 flaw means that fixes to guard against attacks also have the effect of slowing down computers in certain circumstances. A Microsoft analysis of which systems are likely to be most affected by applying the Spectre fix (which, again, is currently being recalled by Intel only) found the following results:
- Most users running Windows 8 and Windows 7 PCs on 2015-era Intel Haswell or older CPUs will notice a decrease in system performance
- Some users running Windows 10 PCs on 2015-era Intel Haswell or older CPUs will notice more significant slowdowns than on newer chips
- Most users running Windows 10 PCs on 2016-era Intel Skylake, Kaby Lake or new CPUs won’t notice a change, due to only “millisecond differences” in operations
Microsoft recommends server admins “evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment”.
VMware has also warned that the resulting increase in CPU utilization after applying fixes for Spectre could result in organizations discovering they need to increase the size of clusters of virtual machines where previously they had sufficient capacity.
Major cloud providers (AWS, Google and Microsoft) say that, for the majority of workloads, customers sh ould not notice a difference in performance following the updates. However, there have been reports from some customers of a performance drop off. AWS customer Epic Games attributed a more than 20 percent spike in CPU load on a cloud server hosting games of Fortnite to the impact of the Spectre and Meltdown patches.
[Back to Top]
Meltdown basically “melts security boundaries which are normally in place and enforced by hardware,” according to researchers. It is the more serious vulnerability, and the one that OS vendors are currently patching. According to Google, it breaks the “most fundamental isolation between user applications and the operating system”, breaking down the mechanism that keeps applications from accessing arbitrary locations in their memory. Spectre, on the other hand, tricks applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
The scope of this design flaw issue is fairly large and global. According to Google, essentially “every Intel processor released since 1995 is vulnerable to Meltdown.” Due to their specific CPU microarchitecture, Intel chips are primarily susceptible to Meltdown. Additionally, only certain ARM processors are susceptible to Meltdown: Cortex-A15, Cortex-A57, Cortex-A72, and Cortex-A75 models.
Spectre, on the other hand, affects all modern CPUs due to the widespread use of speculative execution (predicting process execution based upon learned behavior). You can find additional technical explanations in the articles linked to in the “More Info” section above.
While there are currently no known exploits for Meltdown and Spectre, Cisco reported on its Talos blog on 1/8/18 that “we have observed publicly available proof of concept exploit code being developed to exploit these vulnerabilities.” The sense of urgency is growing daily, especially relating to Meltdown. Researchers are close to turning Meltdown into a truly useful attack, and what researchers can do, surely those in the bad actor community can do as well.
What You Need To Do
When Microsoft first began releasing OS patches for Meltdown, a compatibility issue was identified with products from certain antivirus vendors. Compatibility issues arise when antivirus applications make unsupported calls into Windows kernel memory, resulting in blue screen stop errors and boot issues. To help with this issue, Microsoft took the extreme position that their patches would only be distributed to systems where compatible antivirus solutions were installed. Microsoft is looking for a particular registry setting that “compatible” solutions are setting correctly. In cases where antivirus software cannot be installed, Microsoft recommends setting the registry key manually in order to receive the valuable security patches. Check the link in the “More Info” section above to verify that your antivirus solution is compatible. The registry setting Microsoft is looking for is:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\QualityCompat\cadca5fe-87d3-4b96-b7fb-a231484277cc\0.
Most OS and browser vendors have released the first round of patches to address Meltdown. However, more updates are expected to follow as researchers have not yet definitively identified all potential avenues of attack made possible by Meltdown and Spectre. It’s important to keep in mind that this is the farthest-reaching, most-encompassing vulnerability discovery in modern history. The fact that it was discovered in a lab and not as the result of a data breach is nothing short of miraculous. The vulnerabilities were actually discovered by at least three independent research teams across the world as early as spring of 2017. This article tells the story of the discovery process. These researchers immediately alerted Intel and other affected chip manufacturers. OS and browser vendors were brought into the loop and work began immediately on patching the vulnerabilities as they were known at the time.
Primary Microsoft patches addressing Meltdown and Spectre are identified in the following KB Articles:
Microsoft has also released a Security Advisory Article detailing the Meltdown and Spectre vulnerabilities, their impact on Windows operating systems, and all available KB articles providing security patches. You can reference these article numbers to verify that your devices are patched.
Please exercise caution with any notices of updates/patches that you receive via email. There are reports of malware being spread as social engineering attacks in the form of supposed patches for Meltdown and Spectre. If you receive an email advertising a site to get a security patch or an update for these vulnerabilities, be very cautious, even if the link points to a site beginning with “https:”.
(Back To Top)
As some of the OS patches from Microsoft began to be applied, many users began reporting crashing, boot issues, and, most notably, slowdowns. In addition to the antivirus incompatibilities noted above, Microsoft’s patches have proven completely incompatible with certain older AMD processors (Athlon X2, circa 2008), resulting in failure to boot after application. While Microsoft and AMD work on resolving the issue, Microsoft has stopped distributing patches to computers with this model processor. In an effort to mitigate these flaws in the way CPU chips operate, some of the features that made these chips so fast have been circumvented, resulting in seemingly slower performance.
Microsoft is not the only patch vendor causing performance problems. Intel is releasing patches to address Spectre, and early reports are indicating boot and performance issues as well. Intel’s patches are in the form of BIOS updates and are not released by Intel directly. These updates come from hardware vendors such as HP and Dell. Before applying any of these patches, check your vendor’s site to verify that they have not been recalled.
Since Spectre’s vulnerabilities lie more with the physical design of the CPUs, patches arrive in the form of BIOS updates. For devices other than Microsoft Surface and Apple-branded hardware, these BIOS updates must be sourced from the hardware vendor. We’ve included links to HP, Dell, and Lenovo for you to monitor when updates will be available for your hardware. Keep in mind, Intel just pulled a majority of updates it had released as severe boot and performance issues were being reported. Microsoft Surface and Apple BIOS updates arrive along with regular security and reliability updates, so they don’t require any additional work.
Synergy is pleased to announce its latest—and most timely—managed service offering: End-User Security Awareness Training. This service combines award-winning security training (and retraining where applicable) with routine social engineering testing to reinforce crucial security concepts.
How Synergy Can Help
Level 2 and Level 3 monitoring from Synergy includes Windows security and OS patching for covered devices as part of our service. You can get more details, including info on our Remote Monitoring and Service Desk services on our website.