05
Jan 18

Scary Chip Flaws Raise Spectre of Meltdown

Apple, Google, Microsoft and other tech giants have released updates for a pair of serious security flaws present in most modern computers, smartphones, tablets and mobile devices. Here’s a brief rundown on the threat and what you can do to protect your devices.

At issue are two different vulnerabilities, dubbed “Meltdown” and “Spectre,” that were independently discovered and reported by security researchers at Cyberus Technology, Google, and the Graz University of Technology. The details behind these bugs are extraordinarily technical, but a Web site established to help explain the vulnerabilities sums them up well enough:

“These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

“Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.”

The Meltdown bug affects every Intel processor shipped since 1995 (with the exception of Intel Itanium and Intel Atom before 2013), although researchers said the flaw could impact other chip makers. Spectre is a far more wide-ranging and troublesome flaw, impacting desktops, laptops, cloud servers and smartphones from a variety of vendors. However, according to Google researchers, Spectre also is considerably more difficult to exploit.

In short, if it has a computer chip in it, it’s likely affected by one or both of the flaws. For now, there don’t appear to be any signs that attackers are exploiting either to steal data from users. But researchers warn that the weaknesses could be exploited via Javascript — meaning it might not be long before we see attacks that leverage the vulnerabilities being stitched into hacked or malicious Web sites.

Microsoft this week released emergency updates to address Meltdown and Spectre in its various Windows operating systems. But the software giant reports that the updates aren’t playing nice with many antivirus products; the fix apparently is causing the dreaded “blue screen of death” (BSOD) for some antivirus users. In response, Microsoft has asked antivirus vendors who have updated their products to avoid the BSOD crash issue to install a special key in the Windows registry. That way, Windows Update can tell whether it’s safe to download and install the patch.

But not all antivirus products have been able to do this yet, which means many Windows users likely will not be able to download this patch immediately. If you run Windows Update and it does not list a patch made available on Jan 3, 2018, it’s likely your antivirus software is not yet compatible with this patch.

Google has issued updates to address the vulnerabilities on devices powered by its Android operating system. Meanwhile, Apple has said that all iOS and Mac systems are vulnerable to Meltdown and Spectre, and that it has already released “mitigations” in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. The Apple Watch is not impacted. Patches to address this flaw in Linux systems were released last month.

Many readers appear concerned about the potential performance impact that applying these fixes may have on their devices, but my sense is that most of these concerns are probably overblown for regular end users. Forgoing security fixes over possible performance concerns doesn’t seem like a great idea considering the seriousness of these bugs. What’s more, the good folks at benchmarking site Tom’s Hardware say their preliminary tests indicate that there is “little to no performance regression in most desktop workloads” as a result of applying available fixes.

Meltdownattack.com has a full list of vendor advisories. The academic paper on Meltdown is here (PDF); the paper for Spectre can be found at this link (PDF). Additionally, Google has published a highly technical analysis of both attacks. Cyberus Technology has their own blog post about the threats.

Tags: , , , , , , , ,

86 comments

  1. Thanks for the no nonsense reporting on this!

  2. Nice Headline!

  3. > Google has issued updates to address the vulnerabilities on devices powered by its Android operating system

    Not on my phone, a Pixel XL.

  4. Ha, good play on words for the headline Brian! i feel you and others may be rather busy 2018, hell of a start to the year.

  5. Thanks for putting this into plain english. The technical aspect for Spectre is mind blowing.

  6. I wrangle a few machines, all running W-7 (SP-1); one has an AMD processor; the others have some flavor of Intel.

    Patch Tuesday arrived early this month. All my machines are set to “check for updates but let me choose whether to download and install them”. On a typical Patch Tuesday, I don’t rush to be at the head of the line, but I’m usually in the queue before Microsoft alerts me. KB4056894 knocked on my door mid-morning Fri 5 Jan.

    KB4056894 conflicts with certain anti-virus products, as mentioned in the story. This link

    https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

    offers a partial list of anti-virus products and their compatibility with KB4056894. “Partial list”: for example, the list includes Microsoft’s “Windows Defender” but not Microsoft Security Essentials.

    Bottom line: To properly install KB4056894, a specific registry entry is required. Details under “Known issues…”

    https://support.microsoft.com/en-us/help/4056894/windows-7-update-kb4056894

    My experience: no problem with the update installation, though the required restart took a few minutes more than typical.

    Intel-related resources:

    Intel firmware updates advisory page: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

    Intel-SA-00086 Detection Tool: https://downloadcenter.intel.com/download/27150?v=t

    • Arbee, thanks for the spreadsheet.

      It does not list AVG.
      This is from AVG support website:
      “Hi guys,

      AVG 2017 is compatible with the Windows patch and we protect against the malware since December 2017 and it is storing the required keys into the registry since Jan 3rd, 2018.

      Regards,
      Bhuvana, AVG Customer Care.”

      However, I find that the last Windows update on my desktop (W7) was on Dec. 14.

  7. I use ESET as my AV. Both of my Windows 10 PCs had the patch applied and I’ve notice no change in performance.

  8. Anyone know if these chip problems could screw with your router, now that would be very scary.

    • That’s what I was going to ask… Scary for a lot of people if it dawn be used to defeat firewalls. Any comments from networking hardware makers?

      • Shouldn’t really affect most routers. The exploit this, you need to be running some malicious code, and since there’s not normally a way to run random code on a router, there should be no opportunity to exploit.

  9. Charles Dennett

    What about older Android devices for which google no longer issues OS updates or security patches like my Nexus 6 phone and even older nexus 7 tablet? Everything I’ve read so far mentions supported devices and these are no longer supported.

  10. Great summary as usual. Looking forward to hearing if POC attack code for these vulns starts getting incorporated into any widely distributed malware.

  11. Still on Android 5.0 or lower??

    Call your cell phone provider and ask for the updates. It’s high time we demanded the ability to easily update our OS, using T-Mobile, Cingular, Sprint, etc.

    Orphaning older phones is no longer acceptable. A five year life of OS updates should be the bare minimum we should expect, or demand a rebate or partial refund.

    If providers won’t keep us updated, then let’s demand them from the hardware vendors like Samsung, or buy a different brand.

  12. Also will it screw with any xp and their embedded systems! it gets worse the more i think.

  13. IRS iTunes Card

    Researchers keep issuing high profile warnings about genuinely dangerous new security flaws, and a few weeks or even days later they are all but gone.

    Sooner or later people are going to start questioning the credibility of the research and the seriousness of the situation.

    • If you’re alluding that this is a false alarm, you’re completely mistaken. I’ve seen POCs for this already. It’s currently in embargo to give vendors a chance to respond and patch before malicious actors go live.

  14. I also just want to thank you for your reporting on this subject. Clear, precise and easy to understand.

  15. Thank you Brian for all your hard work to keep us informed; great summary on present crisis.

  16. You might mention that in order to exploit, an attacker has to get the exploit code onto a device. Javascript certainly makes that considerably easier. Still, safe computing practices do provide some bar to exploitation.

  17. It amazes me, as MS makes billions, the end user is the one who pays for all their vulnerabilities while they have very little accountability.

  18. From what I’ve read, the exploits for these vulnerabilities are not easy to implement. I think that government agency hackers will have and use these vulnerabilities in their exploit tools. But I doubt that these exploits show up in consumer-targeted malware.

    Most systems with shared processing and memory (cloud computing) are managed by professionals and will be patched long before exploit code is written.

  19. As somebody who remembers the days of bit-slice, this appears to be a problem in the underlying architecture. I’ve downloaded both white papers, but haven’t had time to read them in depth yet. They are intense…

    But if it’s a problem in the predictive branching and execution part of the microcode, it’s going to take hardware replacement or microcode updating (which does work). But that ability to update the microcode also much depends on processor model and motherboard model. Tough nut to crack at the transistor/microcode level, IMHO…

  20. Is there any vulnerability with smart DVD players and TV’s, cable modems and/or networking boxes such as Airport Extreme? If so, how will they be patched?

    • I forgot my username again

      Depends on the processor they are using. ARM, whose processor design is is IIRC more popular for embedded devices than x86 because of power efficiency, indicates only some models are affected by most of the flaws, although the flaw related to array-bounds checking (variant 1 in the linked advisory) does appear to be present in all their products. This flaw is mostly a risk for programs processing untrusted user data and may require changes to program code to be mitigated.

      Ars Technica has a good overview of the various vendor responses, as well as a well-written explanation of how these flaws work, which I recommend checking out.

  21. Thank you Brian for the best summary on this issue that I have read. I have a question though, perhaps someone will know the answer. What about Apple mobile devices that could not be upgraded to IOS 11 when that came out and thus remained stuck on IOS 10.3.3. Does Apple have any plans to adress those older devices with an update?

  22. Apple needs to patch OS 10.12 as many including myself will not install 10.13 until they clean up the problems with it.

  23. The update causes BSOD on pc’s with older AMD cpu’s, Turion on Win 7 pro 64 bit in my case. Took a while to recover, but the update is now hidden. No antivirus other than MS security essentials, so it’s not an antivirus problem. The registry entry is there as well. MS was in such a rush they didn’t properly test in my view.

  24. Could someone help me understand why this article is dated Jan 18, when it is Jan 6 (see top left under the title)?
    Also, I just checked for new updates on my desktop PC. No important updates are available. My last update was on 12/13/17-the 2017-12 security monthly quality roll-up for Windows 7 for x64-based systems. Why haven’t I received this latest update?
    FYI: I am not a tech person.
    Thanks for any insights you all might have.

    • The big number is the day. Also, it’s explained in the story in fairly plain english that some Windows users aren’t going to see a patch yet because of compatibility issues with various antivirus products. You might try rebooting the computer and checking again.

      • Readers have been complaining about that ugly date format since the dawn of this blog. Time (hehe) for an update. I recommend ISO 8601.

  25. Thanks, Brian. I just read on-line that Windows 7 users won’t get the update until next Tuesday.

  26. i never use any virus detector on my pc i never dont bother with updates,i just dont have time and i really dont care if someone will hack me somehow hacker will leave always trace !!
    only if anyone want they can always follow the money i never worry about and i dont do extra moves i simply dont care just.
    if i want i can simply smash my computer,internet and computer is not needed to susrvive. i simply dont care ,Brian i think you make people paranoid,can you imagnine to live everyday in fair about hackers? thats grazy i use old computer and old operation system in my pc,i even dont care that there is new ones,i dont have time to think about this bs,i have beatiful life to live.
    and that s mygoverment and police who get payed to secure me,my safety its not my problem,,thats the goverment problem to give me and provide me with everything.
    thats its real talk

  27. if i pay taxes then i dont care about anything ,i done my job,then why else i pay even taxes? i simply dont care really about my safety,if anything happends,i will pushh the goverment and police to work until they make moves,i will not care i dont have to do nothing. dogs when they are told to do,humens can think and me i dont do anything if its notnecesaary,so put your updates and bs,where it belongs,real people dont want any security updates or bs.
    i even use old phone,coz i got no time to follow this new trends ,as i said people shoudl have real life to live.
    thank you!!

  28. Since the flaw allows permeability between data of different processes, it is devastating for shared hosts. Shared hosts are massively used by cloud services. On a shared host (unlike your computer or personal device), the data from hundreds, maybe thousand users coexist in the computer memory.
    So data in the cloud is particularly vulnerable to this flaw. You can only prey that your service providers (at minima, the password managers and backup service providers) have taken the mitigation steps.

  29. The NSA un activo, Edward Snowden has reason

Leave a comment