The "Meltdown" and "Spectre" Vulnerabilities
Why they are called the worst security flaws in history, and what you should do about them
We haven't had significant stories of technological apocalypse since 2014, when we covered the Goto Fail and Heartbleed bugs that lit up mainstream news websites and created a bit of a panic.
Just as we returned to work after New Year's 2018, we learned of another pair of "bugs", which are apparently much worse. See, Goto Fail and Heartbleed were errors in software programming in many web servers, some network devices, and Apple products that were easily fixed with software updates. Meltdown and Spectre, however, are vulnerabilities related to how computer hardware operates. Meltdown affects many, but not all devices, and can be fixed with an operating system workaround that prevents its exploit. Researchers have reported that the Spectre bug, however, cannot be fully mitigated with software alone, and it affects pretty much every last commercial and consumer electronic device in use today: servers, desktops, laptops, tablets, mobile phones, network devices, your Internet-connected A/V equipment, and anything else with a microprocessor that connects to the Internet.
So what can someone do with these vulnerabilities? In short, both of them make it so that security-related information stored in your computer, even in the deepest, protected areas, can be accessed by software running on your computer that is not supposed to be able to get it. This could mean full access to your e-mail and passwords, which could then be transferred to criminals through the Internet.
Why This was Big News
These vulnerabilities are so significant that they each have their own official logo, even though the capability for programs to access protected data in computers has existed due to other vulnerabilities or bugs in the past. What makes these ones particularly notorious, newsworthy, and worrisome are these factors:
- The flaw is in functionality etched into your microprocessor hardware, which would imply that it can't be fixed with a software update.
- Virtually every computer and device in the world is affected, meaning the entire IT industry, from software publishers, hardware manufacturers, and cloud services providers, must urgently respond.
First, a bit of good news: these flaws can't plausibly be activated on your computer or mobile device remotely by some hacker over the Internet. They can only be exploited by software actually running on your device, which is how most vulnerabilities we've dealt with in the past have worked. So, if you haven't changed anything on your computer, it's not now suddenly prone to start sending your passwords out to criminals.
If your computer does get compromised by software that intends to exploit Meltdown or Spectre, an attacker would need particular knowledge of you and what he's looking for to get anything worthwhile. And if you're prone to run unwanted or high-risk software on your computer, you're more likely to catch some malware that encrypts all your files and demands a ransom payment to restore them, because that's a much more efficiently profitable attack for a criminal to carry out. So, while these flaws introduce a novel technological threat vector, nothing has changed as far how you use (or should use) your computer.
Devices that do not access websites or download software are safe. So, even if the tiny computer that controls your refrigerator has the flaw, no malicious software is going to execute on it, so there is no need to replace it.
These flaws are hugely significant for servers running in the cloud, and here's why calling this apocalyptic wasn't so far-fetched. See, a vast amount of Internet services we use every day are hosted on virtual machines running on physical servers shared by many different companies (that is, "the cloud"). As you may remember, the Heartbleed bug of 2014 made it so a criminal could steal secret encoded information from a particular publicly-accessible virtual machine that was running the buggy software, such as a website or mail server. Other virtual machines running on the same physical server, though, are unaffected by the compromise of one through Heartbleed. But with Meltdown and Spectre, someone could conceivably sign up for an account in Microsoft Azure, Google Cloud, or Amazon Web Services, spin up a virtual machine, run exploitative software, and instantly access the most sensitive data on all the other virtual machines running on the same physical server, including back-end virtual database servers that don't connect to the Internet. If your virtual machine running in a cloud services provider's system is targeted, there is nothing you can do about it.
Note that neither of these vulnerabilities by themselves enable anyone to modify the exposed data in place, or alter the function of the compromised virtual machines. However, someone could use information found from examining protected memory of a server to then log in to the server as an administrator, and thereby do anything he wants with it.
Encrypted data is only at risk if the encryption keys are prone to exposure. So if you encrypted some sensitive data before pushing it to a virtual machine in the cloud, and that virtual machine doesn't have the encryption keys, then the data is not going to be exposed merely by a criminal gaining access to the server.
There are no reported instances of anyone successfully exploiting these flaws in an actual hostile infiltration. The flaws were reportedly discovered by three separate ethical research agencies, who exist specifically to find flaws like this and tell the companies that need to fix them. The public announcement was scheduled for January 9, 2018, but ended up being found out about a week earlier when people noticed operating system patches for Linux being pushed out. Since Linux is open-source, the changes, and the reasons for the changes, were not able to be kept in secrecy.
In news reports, you'll usually see mention of what Microsoft, Apple, Intel, and maybe Google are doing about this. These are the biggest players in the IT world. Microsoft and Apple are responsible for the operating system software that runs Windows-based and Apple devices, respectively. Intel is the leading microprocessor manufacturer for computers and tablets. Google and Amazon Web Services (AWS), along with Microsoft and Apple, run millions of servers that are all vulnerable, hosting cloud services used by at least two billion people worldwide.
Meltdown, as mentioned, can be fixed with a software patch. Microsoft announced, on the day of disclosure, that they had already updated most of their servers to mitigate Meltdown in their cloud service, Azure. Google and Amazon did by the next day as well. The software patch, however, has been reported to slow down server performance, depending on the tasks the server performs.
But for Spectre, the fix is much more complicated. Physically replacing the microprocessors on all the servers in the cloud isn't feasible. It may be possible for the microprocessors to be reprogrammed through a microcode update (changing the programmable part of the microprocessor itself), but this could also be very time-consuming and enormously expensive. And, fixing the problem at the microprocessor level may slow down performance, require all operating system and application software to be rewritten or recompiled, or both. Whatever they plan to do, cloud services providers and microprocessor manufacturers have a tremendous amount of work ahead of them for 2018. Not only that, any manufacturer of network equipment, data storage devices, or mobile phones will have to address this. So far, the response hasn't been encouraging—operating system patches, firmware updates to computers to change how the processor operates, and planned design changes for processors to be manufactured in the future, all have failed to fully address the problem, or can be expected to degrade performance.
What You Should Do
If you're a client of J.D. Fox Micro under an IT System and Cloud Management Contract, you don't need to do anything, as you should have security best practices already in place that will address this.
For your computers and servers, and other user devices, this means, at a minimum:
- A system that automatically or routinely installs software patches for all your IT equipment, which will ensure operating system and browser patches are installed;
- Anti-malware software, particularly endpoint protection, kept up-to-date, which will increase the chance that malware attempting to exploit Spectre can be blocked from executing in the event proper patches are not in place;
- Techological measures and user education programs in place to prevent users from running unapproved software;
- A robust data backup system, particularly one that pulls data off of your production/Internet-connected network, so that you don't suffer devastation in the event the first three items in this list fail to prevent a compromise of your system resulting in data loss.
If all this is in place, you're off to a good start. But if you need help implementing the above in your business, contact J.D. Fox Micro.
For older devices, you may not be able to get operating system patches, so you need to consider how to continue using these devices, if at all.
If you are a cloud services customer, then you don't need to do anything if all you use are Software-as-a-Service applications, such as Google G Suite, Microsoft Office 365, NetSuite, QuickBooks Online, or QuickBase.
But, if you have private virtual machines hosted in Microsoft Azure, Google Cloud, Amazon Web Services, or vCloud Air, or even with a smaller provider like WestHost or Bluehost, then you should look out for advisories from your cloud services provider for anything you might need to do, in addition to installing patches within your virtual machines. For example, you might want to find out when your host server has been patched, in case you need to restart your virtual machines following the update, as Microsoft has asked its Azure customers to do.
Of course, if you run your own private cloud, then you need to patch your host servers, as well as your virtual machines, if anyone (even within your company) has access to create and run virtual machines, or even run software within virtual machines.
Again, for help with this, please contact J.D. Fox Micro.
What's so terrifying about this for any individual is that if someone is able to steal information from your computer with these exploits, you are unlikely to know as you would if you fall for a phishing scam or get hit by ransomware. And if this includes passwords, and someone is able to log in to sensitive accounts of yours, the results could be terrible. The possibility of this situation is why it has always been considered a good practice only to deal with sites that use secure methods for authentication beyond just passwords, such as multi-factor authentication, so that if someone does steal your password, they won't be able to get right in too easily.
If you're responsible for a company with any significant information assets (meaning, pretty much any business), these kinds of calamitous security incidents, the manner in which they can lead to the total compromise of your IT systems, and the potential for more of these in the future, indicate why it's so important to have a robust Information Security Program.