Spectre and Meltdown

Spectre and Meltdown

The Situation

The IT Industry has been rocked by critical vulnerabilities in the CPU architectures of Intel, ARM, AMD and IBM.

These are hardware exploits and affect most common operating systems like Windows, Mac OSX, iOS, Linux, ChromeOS, Cloud Hosts like Azure, Amazon, Google and a vast array of hardware vendors.

I apologise now if this information comes across as very techy but some terminology is quite difficult to relay and it is critical you are made aware – I will do my best to make it relevant and easy to follow.

How it Works?

Features inside your computer’s processor CPU that are designed to improve performance can be exploited by hackers to steal information stored in your computer’s memory – RAM – and these are programs that you have open at any time.

Some real world scenarios:

An accountant working in Xero using a browser like Google Chrome is accessing personal customer information, bank details, income details and they open an email with malicious attachment, or a phishing email that redirects the user to a compromised website which executes the malicious code. At that time the information from Google Chrome that is currently stored in memory can be stolen.

You are a GP with private information open on a patient and have left your notes open while you read content from a news website which has been hacked – yes again that information is stored in memory and can be stolen.

It is important to know that simply visiting a website can cause this breach without any further user interaction. It does not need to be a porn website, a site on the “dark web” or a download. This is what’s known as “Fileless Malware” because no malicious files are transferred to and opened or run on your computer.

What happens now?

Mitigation of the threat both by Microsoft, Apple and all hardware vendors is well underway, but it has not gone smoothly and is a multi-stage process as follows (I will be focussing on Microsoft Windows as this covers 99% of our customer’s computers):

1 – Verify your Antivirus system is Authorised by Microsoft (we have checked on your behalf and you are covered).

2 – Your antivirus vendor will update itself if it is Cloud based (which ours is).

3 – Our team changes a registry key – Without this you will not receive the patch / update (we have this scripted so it is easy but due to the possible problems we have held back).

BUT….

If you are running an AMD Processor your computer may fail to start up (these days we are only selling Intel based computers).

If you are unlucky, your computer may not accept the update and additional work will be required to apply the patch – like my home laptop which took 3 hours total after a fresh Windows 10 install.

4 – Once available, the BIOS of the computer must be updated with the newest computers being fixed first. My personal HP Laptop will not receive the BIOS update until next month.

5 – Applications like Chrome, Firefox, Edge and Internet Explorer will also require updates but should update themselves.

There’s more…

  • Once this has all been completed – older computers will likely have impacted performance and some computers won’t receive any updates from Microsoft or from the hardware vendors which opens you up to significant risk.
  • Intel processors 4th Generation (Haswell) and newer will not experience any performance impact. These were released in 2013 but could still be inside computer purchased in 2014/15.
  • Computers running 32bit operating systems won’t automatically receive updates and will have to be patched manually.

Shouldn’t Antivirus software stop this?

There is no correct answer here as industry experts claim no product can protect against every threat.

The best course of action is direct mitigation against this flaw which in this case is patching/updating the operating systems and hardware where possible.

What happens if my systems are too old?

We recommend replacing them in a controlled manner as at this very moment there are no known threats in the wild…YET!!!

This issue and the current state of play will be discussed during IT Champions Training Programs scheduled for the 14th of February.

The Summary…

  • OtiumTech will be the first to have patches and fixed applied – if we can’t get it right for ourselves we won’t roll it out.
  • Review your fleet of computers, develop a refresh strategy. 1 new PC every month or 2 is a smart approach. We can provide a report highlighting 32bit operating systems and those likely to experience a performance impact.
  • This will be long process and their will be speedbumps – it has to be done right.

Check out this article for the latest update on this issue:

http://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges

 

 

Author: Shaun Atkinson

Shaun is the head of engineering at OtiumTech. He is passionate about Cyber-Security and finding ways to push SME’s forwards into new technologies.