Meltdown and Spectre from Intuity

Meltdown and Spectre are two different vulnerabilities that, using a characteristic typical of modern processors, allow unauthorized applications to read the memory of a system. That means an attacker could…

Un approccio pratico alla comprensione e alla mitigazione del problema

A practical approach to understanding and mitigating the problem

WHAT ARE THEY?

Meltdown and Spectre are two different vulnerabilities that, using a characteristic typical of modern processors, allow unauthorized applications to read the memory of a system. This means that an attacker could read data in memory while being processed by other applications.

Who is affected by it?

Almost all of the Intel, AMD and ARM processors used on desktop systems, notebooks, servers and mobile devices such as smartphones and tablets.

Is the problem urgent?

The problem is present and must be solved as soon as possible, but this does not make it an emergency: to exploit this vulnerability you need to run code on the system, activity that requires to those who attack a certain level of expertise and the organization of a fairly structured attack.

Moreover, there are currently no known attacks (exploits) that exploit these vulnerabilities, but this condition is destined to last for a short time yet.

WHO CAN BE HIT AND HOW?

Mobile devices: If the user installs untrusted APP or not acquired from an official Store, it is definitely at risk.

PC: they are the most at risk because the attack can be transmitted via a phishing email or browsing on compromised sites, both situations that occur quite frequently.

Server: To compromise a server, the malicious code must arrive at that server. This can happen if the system is used to receive mail or browse the Internet, if someone uses removable devices that could be compromised or if exploiting other vulnerabilities of the system itself an attacker can run code remotely, from the Internet or another previously compromised location.

HOW CAN I MITIGATE THE PROBLEM?

Surely the best way to be calm is to install the patches that these days are released by various manufacturers. This is not a definitive solution, in fact some problems are not solved for all operating systems. Patches are now available for Microsoft, MacOS, Linux, some browsers and vmware, but other updates will be available in the coming days. Intel said it was working on the BIOS update of some processors.

Note: Due to a number of compatibility issues detected with different antivirus systems, Microsoft updates will not be downloaded unless this registry key is present on the system:

Key=”HKEY_LOCAL_MACHINE” Subkey=”SOFTWARE Microsoft Windows CurrentVersion QualityCompat” Value=”cadca5fe-87d3-4b96-b7fb-a231484277cc” Type=”REG_DWORD”
Date=”0x00000000″

For a clear and detailed list of what patches are available at the moment, what they correct and what they don’t and what problems you can expect, we recommend you check out these sites:

• https://meltdownattack.com/
• https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help

Warning: it is very likely that no patches of any kind will be released for unsupported operating systems such as, but not only, Windows XP.

Can antivirus systems stop the attack?

Almost certainly not: the behavior of malicious code in the eyes of an antivirus system is legitimate and therefore difficult to detect as malware; it is possible that more checks are made available in the future.

What can I do if the systems are not upgradable or if the patching time is very long?

As mentioned above, to exploit these vulnerabilities it is necessary that a code (application, java script, etc.) is executed on the system, so you need to take precautions to minimize the risk of this happening.

These precautions should already be part of a safety process because they apply to Meltdown and Spectre, as well as many high attack forms:

• Verify often that your systems are not vulnerable to attacks that allow a remote user to execute arbitrary code, “Remote Code Execution”. This verification should be done for services exposed to the Internet and from within the company.
• Verify that business users are prepared and aware of security threats and are able to recognize them in the daily use of the computer tool: e-mail, Internet, mobile device.
• Verify that you have efficient and effective security tools, such as: new generation antimalware, antispam systems, sandbox, navigation control, intrusion prevention.
• Verify that server systems are not (and cannot) be used for activities of their own, such as: Internet browsing, e-mail, file downloads.
• Verify that server systems do not allow the use of unauthorized removable peripherals, such as: USB Stick, USB Drive.

Is it true that patches have an impact on CPU performance?

Yes, to mitigate the problem you have to give up some typical features of modern CPUs used to optimize the computing capacity of processors. Of how much this degrate is not certain, it also depends on the CPU itself or the applications that use it.

It may be appropriate, especially where computing capacity is a determining factor, to first make a measurement of CPU usage and evaluate accordingly whether and where patches can be installed without compromising system usability.

• https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
• https://techcrunch.com/2018/01/11/intel-details-performance-hit-for-meltdown-fix-on-affected-processors/

In conclusion, it makes no sense to panic, it is appropriate to have clear the extent of the problem, how it can impact your organization and carefully plan the actions to be implemented, patching and firmware updates as they become available.

A reflection that arises spontaneously in situations like this and those experienced during the past year on the occasion of wannacry, Petya and everything that has characterized 2016 in terms of cybersecurity, is this:

Why do you always find yourself chasing the problem, always thinking about solutions that meet the needs of the moment, when instead you could act preventively creating an environment that is “safe” by design? It seems utopia, but it is not, it is just a process that must be triggered and that has a prerequisite: being aware that cybersecurity is really a problem to be faced. As long as this awareness is missing, it all boils down to a kind of game, where the attacker always wins and the defender wins only when it is not up to him.

The main ingredients of this magical recipe according to us are:

• Create awareness of the impacts that cyberinsecurity can have on business.
• Create awareness in people about cyber threats and security issues in general.
• Use the right technologies, in the right context, to mitigate certain types of problems.
• Carefully check the residual risks and take prompt action to reduce them.