How to Protect Your Systems from the Intel Meltdown & Spectre Flaws
Last week, security researchers uncovered what is possibly the biggest and worst security flaw in modern computing. Referred to as the Intel “Meltdown” and “Spectre” bugs, these critical flaws enable malicious software to spy on other system processes and steal data.
Just how big of a problem is this?
Intel Meltdown and Spectre affect nearly all processors made by Intel. That encompasses the majority of PCs on the market today, mobile devices, roughly 90 percent of active servers and 95 percent of the technologies used by cloud-computing services and data centers.
That’s a whole lot of vulnerable computers and a recipe for disaster.
In this post, we answer some of the most pressing questions about this unfortunate security lapse:
- What are the Meltdown and Spectre computer chip flaws?
- How exactly can they be exploited?
- How the heck did this happen?
- What should you do to protect your systems?
Make no mistake. These bugs may go down as some of the worst in history, and they will affect how all computer chips are designed in the future. But there are steps you can take right now to safeguard your systems and significantly mitigate your risks of an attack.
What are the Intel Meltdown and Spectre flaws?
Intel Meltdown and Spectre are fundamental flaws in the way that processing chips were designed. Although the flaws were only recently discovered, it’s clear that the problem has existed in most computer chips for the past 20 years.
Meltdown affects the majority of Intel chips. Spectre is a flaw found in Intel chips, as well as AMD chips and British-designed ARM chips, which are common in smartphones.
Both flaws create a vulnerability in the way that processors perform a speed-boosting technique known as speculative execution. It’s within that process that malicious software could exploit the flaw to spy on other system processes and steal virtually the entire kernel memory content of the computer.
How can the flaws be exploited?
In simplest terms, the flaws allow hackers to steal sensitive data from a computer. That data could be anything from passwords to sensitive information within your business-critical apps.
In more specific terms, the chip’s flaws allow low-privilege processes to access memory in the computer’s kernel—”the machine’s most privileged inner sanctum,” as Wired puts it.
Both flaws create vulnerabilities based on the same basic principle, but here’s the key distinction between the two:
- Meltdown enables malicious applications to gain access to higher-privileged processes within the computer’s kernel memory.
- Spectre steals data from the memory of other applications running on that machine.
Think beyond a single machine for a moment and imagine the implications for a company server or a cloud-based server shared by multiple organizations.
The vulnerability could enable a hacker to break out of one’s user process on Amazon Web Services and spy on the processes of entirely different users on the same shared server.
For you tech folks, let’s dig a little deeper into how and where an attack can occur within the chip process known as speculative execution.
Think of speculative execution as a way for computer chips to process code faster by guessing—or speculating—the next step of a process. As Wired explains:
“When modern Intel processors execute code and come to a point in an algorithm where instructions branch in two different directions, depending on input data—whether there’s enough money in an account to process a transaction, for instance—they save time by ‘speculatively’ venturing down those forks. In other words, they take a guess, and execute instructions to get a head start. If the processor learns that it ventured down the wrong path, it jumps back to the fork in the road, and throws out the speculative work.”
But researchers discovered that processors don’t fully separate low-privilege (untrusted) processes from the highest-privilege memory. That gives hackers the ability to fool the processor into allowing unprivileged code to spy on the kernel’s memory via the process of speculative execution.
Not really a ‘flaw,’ per se?
Not surprisingly, Intel has been trying to downplay the seriousness of the flaw while also working with technology companies to release fixes.
Intel executives have argued that their chips are actually working as they should and that Meltdown and Spectre aren’t technically design flaws. Their reasoning is that, when these chips were first developed, there wasn’t yet a way to exploit the vulnerabilities
Intel VP Steven Smith explained to the New York Times that the speculative execution approach to chip design “emerged before researchers developed new ways to spy on such internal operations, using what they call ‘side-channel’ analysis.” Smith said this means the vulnerabilities aren’t exactly flaws or bugs, per se, in the way that houses are built with doors and windows that can be exploited by burglars, but those aren’t technically design flaws.
That’s an odd analogy to make, frankly, but at least Intel is working on a solution.
What should you do?
Intel and numerous other tech companies have already released some patches that should alleviate most of the concerns about Intel Meltdown and Spectre—though not necessarily all.
The most important thing you can do is keep your software up to date. Any applications used by your teams should be updated as soon as updates become available from developers.
Here’s what companies are doing so far:
- The major Web browser developers—Google, Microsoft and Mozilla—have already released patches for their browsers. (They don’t fix the chip, but they should prevent malicious apps from spying on activity within the browsers.)
- As for cloud services, Amazon, Google and Microsoft have said they’ve already patched most of their servers, which should address the problem of shared servers being vulnerable to data spying in most cases.
- Intel says it is not considering a chip recall, which would be massive. Instead, the company has released firmware patches for its processors and has been actively working with a wide range of tech providers to develop patches that should “close most of the security gaps,” according to the New York Times.
Is it true that the patches are problematic?
Yes—there have been reports that at least some of the patches are causing problems for some machines.
This week, Microsoft stopped releasing patches for AMD machines after numerous reports of machines being unbootable after the patches were installed.
Another big problem: the patches make processors slower.
Since the patches rework the speed-boosting efficiency of speculative execution, researchers warn the updates could slow down machines by as much as 30 percent in some situations. That’s an especially big concern for cloud services and companies that use data-heavy applications.
However, your average user likely won’t notice much of a difference. Also, future patches may help to restore some of the lost performance over time.
So, that’s it? All fixed?
No, not really.
Researchers say that Spectre—the flaw that enables one application to steal data from another—is particularly tricky. In fact, some say it may be impossible to fix completely.
One problem is the expansive list of smaller software vendors and developers that may never release patches for their products, especially ones that are a few years old.
It makes sense for companies like Google to update its Chrome browser, which is actively in use by millions of people and businesses around the world. Otherwise, Chrome would be an obvious target for cybercriminals.
But don’t expect your four-year-old webcam to receive an update anytime soon.
What’s the likelihood of an attack?
Researchers say that Spectre is difficult to exploit, but certainly not impossible. In the age of ransomware, where cyberattacks are increasingly about money, a well-funded team of hackers could successfully penetrate businesses and government agencies—especially if they believed there was a big payoff waiting for them.
But as Wired points out, there are simpler ways for hackers to steal passwords and sensitive information. Phishing attacks do this every day.
Who are the most vulnerable companies?
On the one hand, you could argue that the organizations most at risk to be exploited are banks, government agencies, large healthcare facilities and others that store highly sensitive data.
But on the other hand, the simple truth is this: the most vulnerable companies are those that don’t bother patching their systems.
We know from experience that businesses of all sizes are notoriously bad at updating their software. It’s why so many companies were affected by the WannaCry ransomware last summer: WannaCry exploited a vulnerability in Windows that had been patched long ago. So only businesses that hadn’t updated Windows were attacked.
It may be years before we know the extent of damage caused by Meltdown and Spectre. But if and when an attack happens, you can be sure that it will be targeted at companies that failed to patch their systems accordingly.