Meltdown, Spectre, and the Security Flaws
Earlier this month, when the report about the intel chip flaws went public, most of the tech giants such as Microsoft, Google, IBM, and Apple started rolling out patches for the bugs named “Meltdown and Spectre.” Even though much information has been generated about the potential vulnerabilities that could be caused by these flaws since they are uncovered, the full extent of the security impact to an organization’s ecosystem is still uncertain. One possible use of the (still hypothetical) exploitation of these bugs is the breach of privileged credentials from kernel memory which we will focus to explore in this article.
So, what are Meltdown and Spectre?
Meltdown and Spectre are bugs at a fundamental level that allow critical information stored within computer processors to be exposed.
Meltdown was designated as the CVE-2017-5754, a security flaw which can read the contents of private kernel memory from the unprivileged users. All Intel processors built since 1995 are affected by Meltdown.
Spectre (CVE-2017-5753 and CVE-2017-5715), on the other hand, is able to extract information from a running processor which allows the hacker to go deep into computer’s memory and exploit sensitive information like credit card or bank account details. Spectre affects Intel, AMD, and ARM processors, broadening its reach to include mobile phones, embedded devices, and pretty much anything with a chip in it.
How do Meltdown and Spectre work?
Processors are one of the building blocks of digital devices. Unlike analog computing, today’s computing is done by parallel processing (lots of calculation for different applications at the same time). They store information about ongoing processing and predicts the next calculations for a faster user experience. This complex processing system is now vulnerable because of Meltdown, which allows access to the kernel - the last level of a control system of your computers.
While Meltdown affects the Intel processors, Spectre, on the other hand, can affect even more devices. Though experts commented that Spectre is more difficult to exploit, hackers can simply use a cloud service to access customer data. For the cloud computing system and cloud services, Spectre is more dangerous than any other flaws that have been discovered to date. As the single server isn’t commonly dedicated to a single user, that means using the recently discovered chip flaw would allow bad people to target admin accounts and steal all of consumers’ information from that server.
How serious is it and what’s the impact?
Some of the security teams already released patches to act against these flaws. Unfortunately, these patches for Linux and Windows Operating System reduce system performance by up to 30 percent, depending on the running processes.
Is it already being used by the attackers?
According to the UK’s National Cyber Security Centre and Google’s Project Zero, there is no evidence that Meltdown and Spectre have been used to steal information or hijack computers. However, as already described, the nature of these flaws also makes them very difficult to detect. Some of the investigative specialists are worried that hackers may develop programs to launch attacks, so they are taking this expectation as a precaution to protect computers and devices. Different operating systems, including Windows and Linux, have already done some updates to reduce vulnerability. Intel said it is only possible to prevent Meltdown with Operating System software updates. However, the fix to Spectre depends on the users themselves. If a user allows running an unwanted script on the browser without any level of awareness or protection in place that means the system could be compromised by the attackers.
What should you do about it?
So after understanding the potential threat that can occur due to these vulnerabilities, what can you do to protect your ecosystem? Here are two important strategies you can take to secure your environment from potential breach due to Meltdown and Spectre security flaws:
Patch your systems:
- Windows and Linux computers already have the system update to fix these security flaws. If you haven’t updated, do it right now! Chromebooks are also protected as the Chromebook update 63 was released at the end of 2017 and it continues on this month.
- Googles authorized Android smartphones including Pixel and Nexus should have already received the security update. So, these devices are protected. For the other Android devices, however, you will need to wait for the manufacturers to push the OTA to your devices such as Samsung, OpePlus, and Xiaomi.
- And, for iOS, Apple advised to only use the trusted source to install applications such as iTunes or App Store. Apple also announced that there are no known exploit impacts on their customers.
Use MFA with Zero-Trust Model for Privileged Accounts to reduce vulnerability:
- As privileged accounts are hackers’ number one target, enterprises should look into adopting a solution that enables multi-factor authentication for these accounts. Preferably with Just-In-Time Access. If one assumes that these credentials will ultimately be compromised, you can incorporate controls to combat when it happens.
- Conduct Continuous Inventory to discover privilege access across your entire ecosystem. Additionally, implement a Zero-trust security protection methodology by reducing unnecessary privileged accounts, eliminating shared accounts, and providing just-in-time administration. By granting administrators on-demand access to the tasks they need, for the time they need it will mitigate account compromise by up to 99%.
As mentioned above, there is a great deal of complexity and uncertainty about Meltdown and Spectre. It is however critical for any organization to take precaution and all actions necessary to prevent your privileged access from being breached. The fix can be very simple as outlined in this above. Not taking action, however, not only can lead to significant data and financial loss but it could potentially cost your organization's reputation if critical customer information is stolen!