Protection against “Spectre” & “Meltdown”now available
On January 4th, 2018 security researchers made public earlier findings on two processor vulnerabilities known as Spectre and Meltdown.
Variants of this issue are known to affect many modern processors, including processors made by Intel, AMD and ARM.
The flaw has three technical variations which were attributed three separate CVEs. Researchers have named two of them “Spectre” and one of them “Meltdown.” Each of those could result in:
Data leakage from privileged kernel memory
Patching may result performance degradation
Performance impact will vary in each deployment and case and cannot be quantified in any absolute terms.
Essence of This Flaw
The CPU flaw stems from the way modern processors attempt to optimize performance by speculating about correct processing paths. For example, on most modern systems, memory is stored in three general locations—the processor’s cache, main memory, and on-disk. Each type has different access speeds and storage sizes—for example, the cache is smaller and faster than main memory, which is itself smaller and faster than on-disk memory storage.
This affects how quickly programs can be processed. Programs are not linear—they frequently branch between different possible processing paths. Sometimes the decision on which branch to follow requires information stored in a slow memory space, such as main memory or on-disk.
Rather than idling until the information is retrieved, the processor will often speculate as to which branch will be followed. It will then continue to process this branch until the information is finally retrieved. If it chose the correct branch, it continues processing; if it chose the wrong branch, it flushes the now-incorrect processing results and then follows the correct branch.
Often, speculative execution results in the processor executing instructions before it knows whether the commands violate security protections.
Overall, this CPU vulnerability takes advantage of different aspects of timing in speculative processing, and more specifically, the mis-speculation window when the processor supposedly executes the wrong option but has not yet received the correct path.
An attacker must be able to place code into an application running on the system itself or on a virtual machine attached to the system to exploit this vulnerability. Therefore, protections to prevent unauthorized access into systems from outside the infrastructure can serve as a first barrier, as well as existing access controls for internal users.
The most immediate action security teams can take to protect assets is to prevent execution of unauthorized software, or access of untrusted websites, on any system that handles sensitive data, including adjacent virtual machines. Assume that any type of execution, including binary execution, carries the potential for attack.
Also, ensure security policies are in place to prevent unauthorized access to systems and the introduction of unapproved software or software updates.
In order to minimize the potential impact of these vulnerabilities, we recommend you take the following actions:
Patch all Windows, Linux, Android, iOS and Mac OS clients with the latest updates from client vendors.
Enable the Intrusion Prevention Service (IPS) and the anti-malware protection on your firewalls
Use Google Chrome or a Chromebook to surf the internet! Chrome allows users to enable an optional feature called Site Isolation which mitigates exploitation of these vulnerabilities. With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process. Read more about Site Isolation, including some known issues, and how to enable it via enterprise policies or via chrome://flags.
Additional details on these vulnerabilities can be found at: