2018 started with a bang when, on 3 January, Google Project Zero dropped a bomb in the shape of two papers detailing three vulnerabilities which affected “every Intel processor which implements out-of-order execution…which is effectively every processor since 1995”.
The vulnerabilities were dubbed Meltdown and Spectre, and such was their importance that mainstream news outlets were covering the issue almost as quickly as the cybersecurity community. The story made headlines worldwide.
The vulnerabilities had been disclosed to Intel by Google’s Project Zero in June 2017, and the industry was also aware of the problems. Intel had planned to release detailed information in the second week of January, when more software and firmware updates to address the issues would have been available. However, it was pushed into commenting earlier than planned because of what it viewed as incorrect and misleading media reports.
The points promulgated in the media included reports that only Intel that was affected, as a result of a bug unique to the company’s products. This was incorrect, and Intel’s decision to break its silence came after the slew of security advisories that followed in the days after Meltdown and Spectre’s publication. It transpired that processors manufactured by AMD and ARM were affected. Another complication was the fact that whilst Meltdown could be mitigated with direct updates to systems, Spectre could not be patched directly, instead requiring software tweaks that could prevent it being exploited.
In essence, Meltdown and Spectre could allow an attacker to extract information from privileged memory locations that should be absolutely inaccessible and secure. Exactly what data is vulnerable is only limited by what is present on the targeted machine. If the victim is a data controller, with systems that process personally identifiable information (PII), then clearly that sensitive data could be compromised. Depending on specific circumstances, the attacker could gain access to credentials and encryption keys allowing them access to personal data stored elsewhere, passwords for any service being run on the targeted machine, or session cookies for active sessions within a browser.
Over the days that followed, out-of-band updates were pushed for Microsoft and Apple operating systems, both current and some older versions, as well as for Chrome, Internet Explorer and Microsoft Edge, and Firefox browsers.
However, problems started emerging just hours after some of the patches had been released. On 9 January, Microsoft stopped security updates being rolled out to Windows OS devices using an AMD CPU. This announcement followed AMD users reporting a number of error types, including Blue Screen of Death (BSOD). That problem stemmed from unsupported third-party antivirus programs, which caused BSOD and stopped the computer booting properly. On 19 January, the company recommenced five of the nine updates that had been paused.
In the interim, Intel became the subject of three class-action lawsuits as a result of Meltdown and Spectre. The lawsuits, filed in the USA, accused Intel of deceptive practices, breach of implied warrant, negligence, unfair competition and unjust enrichment. There were also several proofs-of-concept (POC) for exploiting the vulnerabilities published on Github, and Nvidia confirmed that some of its chipsets were affected by Spectre: these included its GeForce, Tesla, Grid, NVS and Quadro chips. It has also recently come to light that an exploit is being sold for the Meltdown vulnerability, with @ShadowBrokrzz posting an advert offering the exploit for sale on the Scylla Hacking Forum for $8,900.
Major performance-related issues were reported on systems that had installed firmware updates for Spectre and Meltdown. In a blog post published by Microsoft, it was unequivocally stated that machines running Windows 7 or 8 running Intel Haswell or older CPUs would suffer a serious “decrease in system performance”. Newer systems with Windows 10 running on Skylake, Kaby Lake or newer CPUs would see very little change. Elsewhere, updates for the vulnerabilities were found to cause boot issues on machines running Ubuntu Xenial 16.04. These were just a handful of the problems faced by users and companies in trying to mitigate the potentially catastrophic consequences of these vulnerabilities.
Alongside the physical problems with devices, in terms of updating and patches not working, it did not take long for the cybercriminal fraternity to take advantage of the increased public concern. In one example, threat actors were sending malspam emails to users in Germany that purported to be from the German Federal Office for Information Security (BSI), offering external resources about Meltdown and Spectre. The domain to which users were connected from a link in the email distributed a ZIP archive which contained the Smoke Loader downloader malware. This is a typical technique of cybercriminals, who will seek to take advantage of any global event.
It is important to note that actual live attacks do not appear to have been carried out using these vulnerabilities. However, it is highly likely that malware developers and hackers will be hard at work determining how they can make the best use of these flaws.
There are several lessons to be drawn from this episode, not least the crucial importance of patching. With the upcoming introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, if a business fails to properly assess the risks of the vulnerabilities in its systems, and subsequently fails to patch, it could face hefty fines – and that’s not to mention the consequences were a data handler to be breached. We only have to look at the Equifax breach, the biggest of recent times, to see the monumental business and personal consequences that such an attack can have.
Updates for Meltdown and Spectre continue to be pushed by Intel and other chipset manufacturers, as well as Microsoft, Apple and others.
image source:By MrNick2018 (Own work) [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons