2018 has just begun, but the digital world is already in unrest. Enter Meltdown and Spectre—2 critical vulnerabilities that affect CPUs installed on consumer devices as well as enterprise-grade services like Amazon AWS, Google Cloud Platform, and Microsoft Azure. The weaknesses allow adversaries to use malicious code that executes locally (in browsers, too) to access and read memory, including kernel, compromising sensitive data, leaking passwords or the private documents stored in it.

What makes the Meltdown and Spectre CPU vulnerabilities so significant? And why are their long lasting implications going to affect almost all of the computer industry?

Why Everyone Should Pay Attention to Meltdown and Spectre Vulnerabilities

This is issue involves compromised hardware, which is much harder to fix than compromised software.

Most importantly, these are hardware-level vulnerabilities that exploit the design flaws of processor microarchitecture. In contrast to software vulnerabilities that can be solved by patching the susceptible code, definitively fixing hardware issues requires full processor architecture redesign, according to co-author of research on Spectre vulnerability, Daniel Genkin. Software patching is still an option in some situations, but due to the nature of the problem, it’s not without performance and speed drawbacks. With Spectre, some researchers suggest that complete protection is only possible by replacing the chip.

Almost every kind of processor is at risk—especially Intel chips.

As of now, it is confirmed that processors from Intel, AMD, Qualcomm, and ARM are prone to these attacks, with Intel chips being hit especially hard. Daniel Gruss, the researcher who discovered Meltdown, commented in his reply to Zdnet that most Intel chips dating back as far as 1995 may be susceptible to attacks. How? Before releasing proof-of-concept code, researchers verified their results on Intel chips from only the last 7 years.

As the story unfolds, electronic and operating system vendors have been releasing their statements regarding the situation.

  • Apple has confirmed that all of MacOS and iOS products are affected, except the Apple watch and has announced that the already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 help defend against Meltdown.
  • Urgent updates have been announced for other operating systems like Windows 10 or Linux. With Microsoft, the update should prevent exploitation of Meltdown vulnerability. More will follow for Windows 7 and 8 within days.

Important: In case you haven’t updated yet and use a third-party AV, Microsoft has pointed out that updates will only be functional on those machines where the AV product has updated the ALLOW REGKEY. The update description contains the details you may need when contacting your AV vendor. Users whose AV vendor hasn’t made an update to its registry key may experience compatibility issues. Those using Windows Defender won’t be affected. Take a look at this Google doc, containing the information from AV vendors for their products’ compatibility with the security update.

The Discovery of Meltdown and Spectre CPU Vulnerabilities

It may seem that both Spectre and Meltdown have surfaced out of the blue, but in reality Meltdown was already known to three teams who reported it.

Reporting teams include: Google Project Zero researchers, Cyberus Technology representatives, and a research team from Graz University of Technology. These teams have also been working on tools for mitigation of the issue. Some of them have taken part in Spectre research alongside colleagues from Universities of Pennsylvania, Maryland and Adelaide.

The details of vulnerabilities were provided to chip vendors in the spirit of what is known as a “responsible disclosure” in June 2016. Researchers reached out to affected companies prior to publishing the findings, allowing them to secure the flaws and prevent their abuse. Originally, research papers were to be published by the 9th of January 2017, but an article revealing information on the exploits appeared on The Register website on January 2nd. Earlier many in the security community have noticed that Windows and Linux development vendors have been rolling out kernel patches, but the details haven’t been disclosed at that time.

How Do CPU Vulnerabilities Work?

We won’t be diving too deep into computer science and CPU architecture, but for more tech details, take a look at these papers: Meltdown, Spectre.

Meltdown CPU Vulnerability Basics

Meltdown vulnerability almost exclusively affects Intel processors. Aside from Intel, only a few ARM chips are susceptible. Intel stated that chip exploit isn’t unique to Intel, mentioning AMD as another affected manufacturer. According to security adviser Paul Kocher in and email to CNBC, AMD is prone to Spectre attacks. Meltdown isn’t AMD’s weak spot.

Meltdown allows potential attackers to get access to kernel memory of the operating system (OS) and access sensitive data. It is important to know that kernel is basically the core entity required to connect software applications with the computer’s hardware, serving as the mediator between software, CPU, RAM (Random access memory), etc. Basically, kernel manages hardware resource allocation for many programs running simultaneously. Naturally, kernel is a privileged process that runs in protected memory, separated from the so-called user space where other applications run. In fact, this separation or “memory isolation” is very important:

Operating systems ensure that user applications cannot access each other’s memories and prevent user applications from reading or writing kernel memory. This isolation is a cornerstone of our computing environments and allows running multiple applications on personal devices or executing processes of multiple users on a single machine in the cloud.” – excerpt from the research paper on Meltdown

The problem with Meltdown is that it can demolish this isolation, allowing an attacker to read the OS kernel memory or that of another app from an unprivileged user process.

“The vulnerability basically melts security boundaries which are normally enforced by the hardware,” researchers clarify in a Q&A dedicated to Meltdown.

In the video below you may see how Meltdown exploitation allows to recreate a photo document from leaked memory

Video published by Michael Schwarz

Intel has acknowledged a problem and announced updates to mitigate the Meltdown. On January 4th, 2017, hardware manufacturers rebuked the rumors of possible device slow downs for consumers running basic tasks on their Intel powered devices. The company also cited cloud vendors like Amazon, Google, and Microsoft as having no noticeable effects on performance after the patches.

Spectre CPU Vulnerability Basics

Discovered almost at the same time as Meltdown, Spectre has its own peculiarities, affecting more processor vendors including Intel, Apple, ARM and AMD which greatly extends possible attack opportunities.

By exploiting CPU architecture flaws,Spectre destroys memory isolation providing attackers the possibility to access the memory contents of other software applications running in the user space.

In Apple’s statement, it is specified that Spectre is a common name for two known exploitation approaches. Even though both of them are hard to exploit locally through an app, it seems that malicious Javascript execution in browsers may be a viable vector for launching a Spectre attack.

Apple Safari, Firefox and Chrome will include site isolation functionality in upcoming releases. This is intended to address cases of weaponized Javascript being used to snoop through other processes (website tabs) in search of sensitive info.

Interestingly, both vulnerabilities exploit the various shortcomings of the CPU functionality, called speculative execution, that were originally intended to increase speed and optimize chips’ operation. Speculative execution allows the CPU to perform some of the tasks beforehand, making an “assumption” they may be needed, rather than when (or after) it is known they’re needed, all of it for the sake of faster execution of code. Time is saved by not having to wait until after a task is known to be needed. If the “assumption” was wrong, speculative execution is supposed to be cancelled with no remnant effects – at least that’s how it was supposed to be. In reality, CPU’s cache which is used for faster access to memory (remember, it’s all about the speed!) is also used during speculative execution and is plays the role in attack. CPU’s are doing checks to prevent kernel memory access for non privileged programs (code). In fact, in case some non privileged program accessed privileged memory trying to read it , CPU determines that it doesn’t have rights to do so and blocks it, generating an exception, before any data is passed back to the non privileged program. However, it’s not the case with speculative code execution. The processor, having executed the code speculatively, allowed memory access to occur and read the privileged memory (no checks from CPU in this case!). Some of the data is already cached by CPU and attackers may snoop through cache contents in search of secret data. This way Meltdown and Spectre are able to abuse this functionality to intercept memory that isn’t supposed to be accessible.

What’s Next and What to Do for Meltdown and Spectre

  • Keep calm. There is no need to rush to your nearest electronics outlet. Instead, keep your OS updated (Remember the part on kernel memory exploitation by Meltdown?)
  • Update browsers and use site isolation. Here is how to set site isolation in Chrome. Firefox released mitigations with Firefox 57.0.4, Beta and Developers Edition 58.0b14, and Nightly 59.0a1 dated “2018-01-04” and later. Microsoft is planning to make changes to supported versions of Internet Explorer 11 and Edge browsers as part of the security updates.
  • Remember, since both vulnerabilities are hardware related, it is a good idea to check on a firmware update with your computer’s vendor. It should provide an extra layer of protection.

Notably, to this day, there are no known cases of Meltdown or Spectre abuse. However, researchers state that mitigating Spectre is going to be a complicated and lengthy process with no 100% safety guaranteed by software patches. A higher variety of affected chips and, consequently, device types will require a lot of work from both processor makers and device vendors.

Want to Stay Updated?

Shortly, we will be posting a separate article, containing suggestions for updating affected operating systems, browsers and devices, including phones, tablets, etc.