Pavel Ignatov - Fotolia
Meltdown and Spectre patches and mitigations released
Vendors released the vulnerability disclosures and patches for the new Meltdown and Spectre CPU attacks as the infosec industry begins mitigating risks.
The microprocessor architecture flaws under intense speculation now have names -- Meltdown and Spectre -- as well as details, patches and mitigation techniques, although serious concern remain.
A collaboration of researchers from Google's Project Zero team; Graz University of Technology in Styria, Austria; the University of Pennsylvania; the University of Adelaide in Australia and various security companies released the full details of two attacks -- called Meltdown and Spectre -- that exploit flaws inherent to modern CPUs in order to steal sensitive data from memory. Meltdown has currently only been proven effective against Intel processors, while the Spectre attack can be leveraged against processors from Intel, AMD and ARM.
Both attacks exploit flaws in how modern processors implement address space layout randomization (ASLR). According to the official vulnerability disclosure brand page for Meltdown and Spectre, the difference between the attacks is the type of memory accessible.
"Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory," researchers wrote. "Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location."
Meltdown and Spectre attacks
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., expanded on this to explain that Meltdown was able to read physical memory, including kernel memory, while Spectre "can only read memory from the current process, not the kernel and other physical memory."
Because of this distinction, Williams said during a SANS webcast that the primary use of Meltdown appeared to be for privilege escalation and container/virtualization hypervisor escape, while Spectre would primarily be exploited through JavaScript execution in the browser.
"On any unpatched system, if an attacker can execute a process, they can dump all (or most) physical memory [using Meltdown.] With physical memory, attackers could identify password hashes, execute a Mimikatz-style attack on Windows or find private keys," Williams said. "Using JavaScript, Spectre attacks could be used to leak browser cache or other saved data that pertains to other sites. Spectre can be used to determine the address of a module in memory and bypass ASLR, ushering in the new age of practical browser exploitation."
Researchers admitted that Meltdown and Spectre can be especially dangerous because it may not be possible to detect if an attack has occurred since "the exploitation does not leave any traces in traditional log files."
Meltdown and Spectre patches and mitigation
The Meltdown attack exploits vulnerability CVE-2017-5754 and Spectre uses CVE-2017-5753 and CVE-2017-5715. Patches and mitigation techniques have already been released by most major vendors. [Editor's note: Links to all Meltdown and Spectre patches and mitigation techniques are located on the research site.]
The initial speculation surrounding Meltdown and Spectre began because of the merger of kernel page-table isolation (KPTI) into Linux code, which mitigated the threat, and major Linux distros -- Red Hat, Debian, Ubuntu and SUSE -- have confirmed the updates are live for users.
Google released the Android patch as part of its January security update -- which will only be received by Nexus and Pixel users at first -- as well as announcing protections for G Suite, Google Cloud Platform, Chrome OS, Chrome and more.
Microsoft said "the majority" of its Azure cloud infrastructure has been patched against Meltdown and Spectre, but some customer VMs may need to be rebooted in order to apply the patch; Microsoft has sent notifications to those affected. Microsoft also released a patch and security advisory for Windows, but noted that there is an issue with some "incompatible anti-virus applications" that could leave devices unable to boot and has not pushed the patch to systems with known AV issues.
Kevin Beaumont, security architect based in the U.K., has been gathering information on such AV compatibility issues.
I've added @Endgame to the spreadsheet tracking MS patch, anybody know status of @Malwarebytes and Mcafee? Haven't seen anything from either. https://t.co/3rdVUJKS0k
— Kevin Beaumont (@GossiTheDog) January 4, 2018
Statements from Intel, AMD and ARM have commented on Meltdown and Spectre and the patches and mitigations available. Apple did not release a statement, but researchers have found evidence of patches in macOS and iOS.
Alex Ionescu, vice president of EDR strategy at CrowdStrike, applauded all of the work by vendors to mitigate the risks of Meltdown and Spectre.
This patch literally invents new computer science to work around the side-channel CPU issues. Continuing to be in awe and massive kudos to all the OS vendors who had to probably re-do entire feature roadmaps to handle this work. tl;dr Tokens/Processes now have "Security Domains". pic.twitter.com/DjddA97GZ7
— Alex Ionescu (@aionescu) January 4, 2018
However, despite all of this work, Williams noted that with the Meltdown patches specifically, "the patch does not address the core vulnerability; it simply prevents practical exploitation." He warned that this should protect users for now, but the fact that malicious actors will continue to find ways to exploit the Meltdown and Spectre flaws "make it clear that CPU architecture decisions need to be rethought."