January 5, 2018

Apple, Google, Microsoft and other tech giants have released updates for a pair of serious security flaws present in most modern computers, smartphones, tablets and mobile devices. Here’s a brief rundown on the threat and what you can do to protect your devices.

At issue are two different vulnerabilities, dubbed “Meltdown” and “Spectre,” that were independently discovered and reported by security researchers at Cyberus Technology, Google, and the Graz University of Technology. The details behind these bugs are extraordinarily technical, but a Web site established to help explain the vulnerabilities sums them up well enough:

“These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

“Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.”

The Meltdown bug affects every Intel processor shipped since 1995 (with the exception of Intel Itanium and Intel Atom before 2013), although researchers said the flaw could impact other chip makers. Spectre is a far more wide-ranging and troublesome flaw, impacting desktops, laptops, cloud servers and smartphones from a variety of vendors. However, according to Google researchers, Spectre also is considerably more difficult to exploit.

In short, if it has a computer chip in it, it’s likely affected by one or both of the flaws. For now, there don’t appear to be any signs that attackers are exploiting either to steal data from users. But researchers warn that the weaknesses could be exploited via Javascript — meaning it might not be long before we see attacks that leverage the vulnerabilities being stitched into hacked or malicious Web sites.

Microsoft this week released emergency updates to address Meltdown and Spectre in its various Windows operating systems. But the software giant reports that the updates aren’t playing nice with many antivirus products; the fix apparently is causing the dreaded “blue screen of death” (BSOD) for some antivirus users. In response, Microsoft has asked antivirus vendors who have updated their products to avoid the BSOD crash issue to install a special key in the Windows registry. That way, Windows Update can tell whether it’s safe to download and install the patch.

But not all antivirus products have been able to do this yet, which means many Windows users likely will not be able to download this patch immediately. If you run Windows Update and it does not list a patch made available on Jan 3, 2018, it’s likely your antivirus software is not yet compatible with this patch.

Google has issued updates to address the vulnerabilities on devices powered by its Android operating system. Meanwhile, Apple has said that all iOS and Mac systems are vulnerable to Meltdown and Spectre, and that it has already released “mitigations” in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. The Apple Watch is not impacted. Patches to address this flaw in Linux systems were released last month.

Many readers appear concerned about the potential performance impact that applying these fixes may have on their devices, but my sense is that most of these concerns are probably overblown for regular end users. Forgoing security fixes over possible performance concerns doesn’t seem like a great idea considering the seriousness of these bugs. What’s more, the good folks at benchmarking site Tom’s Hardware say their preliminary tests indicate that there is “little to no performance regression in most desktop workloads” as a result of applying available fixes.

Meltdownattack.com has a full list of vendor advisories. The academic paper on Meltdown is here (PDF); the paper for Spectre can be found at this link (PDF). Additionally, Google has published a highly technical analysis of both attacks. Cyberus Technology has their own blog post about the threats.


86 thoughts on “Scary Chip Flaws Raise Spectre of Meltdown

  1. John

    Not the least bit worried about performance issues, that to me was completely over hyped by media. The real concern is going to come from any attacks placed into the wild to see if the patches really work. The consensus is Meltdown is manageable but Spectre could remain a issue or at least not completely mitigated. This architecture has been used in CPU’s for a long time without any attacks. This may simply be something to complex to bother with for hackers. There are plenty of easier ways to gain access to computers. I am not worried about either of these right now.

    1. Nick A

      trefunny is dead-on. You are most definitely not speaking as someone with IT related responsibilities/understanding.

      In terms of performance impacts — They are more than concerning, especially for virtualized environments running high I/O. There are multiple variants of Spectre, and addressing all of them will create enough risk to first perform extensive lower environment testing, to ensure the impact won’t result in an outage.

      In terms of ‘gaining access’ – This exploit isn’t a privileged escalation vuln, or a vuln used to gain access to a system (from a vulnerability categorization perspective). Depending on which of these we are talking about, one would already need to have access, and privileged at that, in order to exploit the vuln (again depends on which exploit we are talking about).

      Complexity — The complexity of vulnerability exploitation is usually considered ‘complex’ at zero-day, yet very quickly becomes nothing more than a script-kiddy level packages that can identify and exploit a system with a single scan of an IP range.

      Both of these are a big deal. Anyone who is responsible for security at a large corporation has this as their top priority, with daily calls to document exposure, remediation as well as scanning the environment to detect any potential attempt of leveraging this attack (at the moment not easy to do).

      1. Ed G

        You are correct on this. My team has a daily report on the vuln & patch status for both of these issues. This is a HIGH priority were I am.

    1. bigmacbear

      Yes. Check with your IBM support team for firmware and OS patches.

  2. George

    AIUI, Intel [1] says that their ‘Management Engine’ (who knew?) needs to be separately updated, and that you need to get that via your PC/Motherboard vendor. It is not clear to me whether our old Dell Dimension PC will make the cut.

    So,
    1. My uncertain impression is that this flaw will let a program (a Java script?) see data currently residing in another program’s memory. By inference, it cannot be used to install malware of access a drive. Is this correct?

    2. If so, what data is actually resident in accessible memory? For ex, if my browser is pointed at a bank account, would it be possible for a a script in another browser tab to see account numbers, etc? Would the password be exposed, if I don’t use a password manager (ie, I enter them manually)?

    3. If so, is this realistically feasible to do? It seems like it would be mind-bogglingly difficult to dig through and parse.

    [1] https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

  3. Ellenor Malik

    It is irresponsible, given that this is a WannaCrypt-level bug, that Microsoft will not also patch Windows XP on affected platforms with compatible antivirus.

    FreeBSD patches appear to be forthcoming.

      1. I.T. Guy

        Some diagnostic equipment for pharma, oil, etc, costs hundreds of thousands if not millions to upgrade. Some of those systems are tied to NT( Yes there are NT machines out there)xp, 2000.

    1. Daniel

      One might argue that it is more irresponsible to still be running an OS that went “end of life” almost four years ago in a manner that makes it vulnerable to malware/viruses spread on the Internet.

      1. Jake Brodsky

        There are embedded versions of Windows XP that are still being supported for at least another year.

        There is more to the world of OS support than just desktop management…

        1. James Beatty

          There are patches for this issue for Windows XP Embedded on the Microsoft Update Catalog. You can download and apply them manually if they won’t install in the normal fashion.

    2. The Phisher King

      If you really are that cheap, you could try to get another 12 months of support for XP by altering a registry key to make Windows Update believe that it is the embedded version of XP.
      But really, install a modern OS, OK?

      1. Chris Pugson

        The XP embedded updates in question do not brick the AMD processor equipped XP systems they are supposed to be protecting.

  4. stone

    best idea just guy take stone and smash the computer
    best to do

  5. zn

    >In short, if it has a computer chip in it, it’s likely affected by one or both of the flaws.

    Interestingly, the Raspberry Pi processors are completely immune to this issue because they do not use speculative processing.

  6. Chris Pugson

    The day BEFORE Patch Tuesday this month I was offered the Jan 2018 security rollup for Windows 7, installed it and when Windows tried to restart I was presented with a blue screen and several 8 and 16 digit HEX numbers. Windows did the same when I tried safe mode. The system is apparently bricked.

    This was a tidy stable Windows 7 (64bit) which smoothly negotiated previous Patch Tuesdays for many years. I ask myself if the Spectre/Meltdown fixes were responsible for the BSOD. I am taking measures to protect several Windows 7 systems belonging to friends by preventing automatic updates until a safe security rollup appears. I do not know if Windows 8.1 is affected.

    How does one tell Microsoft that an update might be a bad one?

      1. luzelines

        Additional info specific to AMD processors:
        “Microsoft has suspended delivering the latest Windows update to certain systems with AMD processors after reports that the update was causing the machines to crash with a blue screen of death when booting. The update contains countermeasures against both the Meltdown and Spectre attacks; although AMD systems are not affected by Meltdown, they’re vulnerable to Spectre.”

        https://arstechnica.com/gadgets/2018/01/bad-docs-and-blue-screens-make-microsoft-suspend-spectre-patch-for-amd-machines/

    1. Dean Marino

      MANY BSOD reports. This is far more serious than the original threat.

      STRONG SUGGESTION: If you CAN, BLOCK KB4056894. HIDE it, if lucky enough to be running Win7.

      Wait for the FEB Rollup patch. If it’s a rollup? You should get something that works, given 30 days of unfortunate end user experiments.

      KB4056894 is potential DEATH.

    2. Ron G

      Three brief points:

      1) ComputerWorld is reporting on the post-patch bluescreens, and their article on this notes that KB4056894 (the Win7/64 patch) has apparently mutated from “Version 1” to “Version 2”. I myself just downloaded and installed KB4056894 (i’m guessing that i got the v2) to my Intel-based Win7/64 system and no problems so far.

      2) Regular backups are your friend. (It didn’t require any bravery on my part to try KB4056894/v2 because I had a fresh Clonezilla backup. If worse came to worse, I’d just restore from that.)

      3) I’m just part way through running a comparative before/after speed test, specifically checking the time taken to do a Handbrake video reencode of an entire ripped DVD ISO, but so far, and consistant with early reports elsewhere, the patch doesn’t seem to have any significant effect at all on compute-intensive tasks like this. The before/after speeds for this one specific task are looking to be virtually identical, pre-patch and after-patch.

    3. Chris Pugson

      I had thought that the problem could be due to the system’s processor being an incredibly ancient AMD 64-bit Sempron 3000 (with single core!). This is now apparently not so.

      I tried to get the issue across to MS UK support at 1500 hours GMT yesterday (8 Jan 2018) and was greeted with bewilderment. I guess that MS has no contingencies in place for reporting urgent and vital matters to it.

      1. Chris Pugson

        I was wrong in my previous comment. It is reported that users of AMD processors are the unwitting victims of this cock-up.

        Is it safe to use the Jan 2018 security rollup on systems with Intel processors?

        At the moment, it seems that my Windows XP (POSReady with updates) AMD Athlon XP 3000+ powered system is less insecure than later versions of Windows.

        1. Jason

          Except that it’s still Windows XP, which is inherently less secure than Win 7-8-X against a whole range of other exploits.

  7. Technotron

    “a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs”

    If I have a malicious program already running on my PC or phone BEFORE Meltdown and Spectre, isn’t it too late to worry anyways? and if I DON’T have malware on my system then I don’t need to worry about Metldown and Spectre?

  8. Chris Pugson

    This situation shows up the monolithic updates now adopted for Windows 7 and later. Having suddenly become aware of the issue which turns out only to have affected Win7 systems with AMD processors, I did a cancellation of the Windows 7 Jan 2018 security rollup download for an Intel equipped system which I had commenced a few minutes after the AMD equipped system and now it is marked as ‘Cancelled’ and will not install. I am thus deprived of the other non-Spectre non-Meltdown security updates.

    I will have to wait to see if Windows update has been broken by my emergency stop of the rollup

  9. stoner

    guys get one nice stone ,and smash just your computer,
    yea,,,baby smah that ou yee,smash it smash that..pc
    helll yeaaaaa

  10. Chris Pugson

    Wow! My Windows 7 running on an Intel Pentium 4 3.2GHz two core processor is sooooo slooooow now that the Meltdown/Spectre fix is installed.

  11. Rick

    Is it possible for the Windows 10 v1709 patch to affect the Trusted Platform Module (TPM)? I have a Dell Latitude E6510 and recently enabled the TPM in BIOS to support BitLocker. After doing so, updated the TMP driver and I was able to see the TPM in TPM Management, and I encrypted my OS drive (along with 2 others).

    After upgrading Norton to create the registry key and then installing the MS “2018-01” update (and rebooting), I was now required to enter the BitLocker Recovery Key for my OS drive (and only my OS drive) on every boot. I also noticed that I can no longer see my TPM in TPM Management . I tried recreating the recovery key for my OS drive, but I was still required to enter the BitLocker Recovery Key for my OS drive (and only my OS drive) on every boot. I finally decrypted my OS drive. Any comment/direction you can provide in this area would be greatly appreciated!

Comments are closed.