11 January 2018
Meltdown and Spectre: the Latest Security Threat Explained
The discovery of three serious chipset flaws, collectively named Meltdown and Spectre, have thrown data security back into the spotlight once again.
The flaws, found in processors designed by Intel, AMD and ARM, could leave sensitive personal information, such as passwords and banking details, open to attack from hackers via user and kernel memory. Intel were actually advised about the problem six months ago when Google’s Project Zero team discovered the flaws, but it was hoped that the issues would be solved before details were made public.
The scale of the threat is unprecedented and includes servers, firewalls and network switches, and virtually all PCs, smartphones and tablets running almost any operating system. Apple devices, often considered far safer than their Windows or Android rivals, are also widely affected. The news has left tech companies in a mad dash to release patches for the bugs.
While there is currently no evidence that the flaws have been used by criminals, we are likely to see a surge in attacks as hackers try to exploit the vulnerabilities before they can be patched. Proof-of-concept codes are available as a starting point for hackers, as are scanners that find vulnerable systems to target.
The Meltdown bug is thought to affect most Intel processors produced since 1995. Potentially, the flaw could allow hackers to breach the barrier between user-run applications and a computer’s core memory. In order to fix the problem, changes must be made to the way the affected operating systems handle memory, which could slow down the performance of certain tasks by up to 30%.
As Meltdown patches for Windows 10 are incompatible with some antivirus programs, Microsoft performs checks before installing a patch. So if your antivirus software is not up to date and the right checks made, the appropriate security patches might not be applied. In some cases, Window 10 has caused some PCs to display the dreaded Blue Screen of Death (BSOD) due to problems with antivirus and some AMD chips, so testing and research is key before patching.
The Spectre bug could potentially allow hackers to trick applications into releasing sensitive information, and affects the majority of modern processors designed by Intel, AMD and ARM, giving it a much broader reach. Spectre is thought to represent a greater challenge to hackers, but is also considered more complicated to fix. This is most problematic on browsers where information like access tokens for open websites might be stolen. For the majority of browsers, the latest versions have fixes to mitigate the risk, so it is important to be running the very latest versions of Chrome, Safari and Firefox.
What does this mean for organisations?
As the flaws could potentially compromise the confidentiality, integrity or availability of personal data that is processed on systems that use the effected CPUs, it is vital that organisations understand the potential level of exposure by checking how many of the affected CPUs are in use. They should then ensure that they have a plan for applying the patches once available, factoring in the potential effects on system performance and any compatibility issues.
The flaws require malicious code to be run on vulnerable systems, so strengthening controls that block unknown code being run or introduced is a key step to take. This should include raising user awareness around email attachments, such as PDFs, or visiting websites with poor security, as Spectre can be exploited by running malicious JavaScript used by some websites and automated PDFs.
As well as reacting once patches are available from suppliers, organisations should also keep up to date with the advice given by the National Cyber Security Centre (www.ncsc.gov.uk). Guidance is available for both enterprise administrators and home users. And although there is no evidence of any exploitation as yet, businesses should still assess the risk as appropriate.
While Meltdown and Spectre could affect all types of data, the processing of personal data must comply with the Data Protection Act 1998 and, of course, the forthcoming General Data Protection Regulation (GDPR). Organisations must use the most appropriate technical and organisational controls to manage the security of their processing operations. A failure to do so could lead to personal data being compromised, which in turn could not only impact the people concerned and the business’s reputation, but could also lead to fines from the Information Commissioners Office. The UK ICO has commented on this in a recent blog.
What about MHR?
We host iTrent on a secure network segregated from our corporate systems. This network is protected by an intrusion detections system that detects and blocks any attempted exploitation of the Meltdown and Spectre flaws. On this network, the iTrent application and database services are hosted on Solaris using hardware with SPARC CPUs, which have not been identified as vulnerable to Meltdown and Spectre, and therefore won’t suffer the performance issues related to security patches.
However, some web and supporting systems are windows-based and use Intel-based hardware. To mitigate the threat on these systems, we are taking the necessary measures to sure up our hardware, including monitoring the release of patches and deploying where necessary.