It’s all over the news – the CPU bug that affects Intel (and AMD, some ARM, etc). There are actually several vulnerabilities with different scopes and different patches are needed. Some of the issues can’t be fixed by patching the Operating System (Windows, Linux, Mac OSX). They’re actually in the browser software or the like. So look out for patches to Mozilla Firefox, Google Chrome, etc.
So what does this all mean?
What is Meltdown and Spectre?
https://meltdownattack.com gives a reasonable overview and links to technical details. For a humorous look there’s XKCD. For CLASSE it’s potentially very dangerous if you run untrusted code. But this isn’t specifically new – we’ve always said untrusted code could be malware. This is just a new sort of malware. The issue is that it’s possible to bypass certain security mechanisms for READ access. This can expose passwords or other sensitive information that is in memory. It’s mostly a problem for Cloud providers, though if you download a virtual machine (VM) at home from a repository to play with some sort of program, make extra sure it’s a trusted repository and you trust the VM. But this shouldn’t be new really. This is one reason CLASSE doesn’t allow local VMs and only centrally managed ones – so we can vet the security of what we’re running.
What is CLASSE doing?
The CLASSE IT group is analyzing the patches that are available. All of these patches will require a reboot. With the current details and our current risk profile, we are following normal patching guidelines: Desktops will be patched during the next patch cycle and servers will be updated as soon as is reasonable. However, the details are fast developing, so we may have to change these plans. Pay attention to the CLASE IT Newsletter for official details.
What should I do at home?
Patch as soon as possible. Watch for web browser patches as well to increase protection of extensions like the LastPass extension. This is a long term issue and there will be ongoing updates to patches to increase security and performance. It is likely that if your computer contains an Intel CPU, fully mitigating the problem will require a whole new computer once the issue is understood well enough for Intel to design and ship redesigned CPU chips. Very few computer motherboards allow you to replace just the CPU chip.
Conclusions
So far – this is basically of interest in that it’s a new way for malware to extract information from your computer. This isn’t good, but it doesn’t seem that remote exploits have been widely distributed as yet. You would still need to download something that was malware and run it on your computer. If you did that, anything in your RAM at the time could be stolen, including passwords. There is a concern that Javascript in web browsers can exploit these design flaws, too. At least currently, such a script seems limited to the information in the current web browser process. Going to a malicious or compromised website would potentially allow that Web site to attack something like LastPass as an extension or if the site was open in a tab in the same process, but it wouldn’t be able to read the system and see your Windows log in password. However, we’re just not sure at this time, so keep an eye out. We’ll provide updates about new information that seems relevant to the CLASSE community.
Updates:
Jan 08 2018
- Meltdown, the most concerning vulnerability can and has been patched by the common Operating System Vendors. Slowdowns are less than initially expected, now suggested to be between 1% (Intel’s estimate) and 23% (worst case testing against PostgresSQL) rather than the previously speculated 5%-60%. Still dependent on Workload.
- Firefox ESR is not affected by Spectre. The non ESR release is, and there’s work on a patch, but one isn’t available currently.