Last week news broke of possibly the biggest and most concerning technical vulnerability, affecting nearly every modern processor in our devices made since 1995.

Disclosed initially by Google Project Zero, the vulnerabilities potentially impact all major CPUs, including those from AMD, ARM, and Intel—threatening almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system.

These hardware vulnerabilities have been categorised into two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), both of which could allow attackers to steal sensitive data which is currently processed on the computer.

The attacks take advantage of a feature in chips known as “speculative execution”, a technique used by most modern CPUs to optimise performance.

Therefore, it is possible for such speculative execution to have “side effects which are not restored when the CPU state is unwound and can lead to information disclosure,” which can be accessed using side-channel attacks.

The first issue, Meltdown, allows attackers to read not only kernel memory but also the entire physical memory of the target machines, and therefore all secrets of other programs and the operating system. This includes passwords and other data.

Nearly all desktop, laptop, and cloud computers are affected by Meltdown.

The second vulnerability, Spectre, is not easy to patch and will haunt people for quite some time since this issue requires changes to processor architecture in order to fully mitigate.

Spectre attacks can be used to leak information from the kernel to user programs, as well as from virtualisation hypervisors to guest systems. According to researchers, this vulnerability impacts almost every system, including desktops, laptops, cloud servers, as well as smartphones—powered by Intel, AMD, and ARM chips.

 

What You Should Do: Mitigations And Patches

Many vendors have security patches available for one or both of these attacks.

  • Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018
  • MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
  • Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
  • Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update. Other users have to wait for their device manufacturers to release a compatible security update.

 

Mitigations for Chrome Users

Since this exploit can be executed through the website, Chrome users can turn on Site Isolation feature on their devices to mitigate these flaws.
Here’s how to turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:

  • Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
  • Look for Strict Site Isolation, then click the box labeled Enable.
  • Once done, hit Relaunch Now to relaunch your Chrome browser.

There is no single fix for both the attacks since each requires protection independently.

For our Secure IT (retained) clients we will be working with you over the next few days to make sure you’re protected. For everyone else, feel free to get in touch if you need advice or support on this or any other security issue. You can reach us at any time at info@marclay.co.uk or by calling us on +44(0) 203 0393394