What are Meltdown and Spectre?
Researchers found that the main chips, made during the past 10+ years, in most modern computers have a design flaw. This flaw would allow malicious programs to capture data being processed in your computer's memory. Programs are not able to normally do this because they are isolated from each other and the operating system- but this hardware flaw breaks that isolation.
If your machine is infected with malware (This malware has yet to be discovered, but you can sure bet cyber criminals are working to create exploits.) criminals can get access to your passwords stored in a password manager or browser, emails, instant messages and even documents. It is important to understand that the vulnerable machine has to have malware running in order to exploit this flaw.
Meltdown further explained (with an analogy)
Meltdown is the name given to an exploitation technique known as "rogue data cache load." The Meltdown technique allows data in a computer's kernel memory to be read. It is believed that this flaw has the most potential to be exploited.
Here is an analogy to help explain:
Explaining #Meltdown to non-technical spouse.— Scott Hanselman (@shanselman) January 5, 2018
“You know how we finish each other’s...”
“No, sentences. But you guessed ‘sandwiches’ and it was in your mind for an instant. And it was a password. And someone stole it while it was there, fleeting.”
“Oh, that IS bad.”
Spectre further explained (with an analogy)
Spectre actually covers two different exploitation techniques known as "bounds check bypass," and "branch target injection." These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.
Here is another analogy to describe Spectre:
Here's my layman's not-totally-accurate-but-gets-the-point-across story about how #meltdown & #spectre type attacks work:— Joe Fitz (@securelyfitz) January 4, 2018
Let's say you go to a library that has a 'special collection' you're not allowed access to, but you want to to read one of the books. 1/10
You go in and go to the librarian and say "I'd like special book #1, and the Sue Grafton novel that corresponds to the first letter of page 1 of that book." 2/10— Joe Fitz (@securelyfitz) January 4, 2018
The librarian dutifully goes and gets special book #1, looks at page 1, sees 'C', and also grabs 'C is for Corpse', and comes back to the desk, but does not show you the books. 3/10— Joe Fitz (@securelyfitz) January 4, 2018
The librarian scans your card, then scans the first book, and says "sorry, you don't have access to this book, let's start over." But puts the books on the nearby re-shelve cart instead of back on the shelf. 4/10— Joe Fitz (@securelyfitz) January 4, 2018
In response you say "I'd like to borrow 'A is for Alibi' and the librarian responds "just a moment while I get that". You interrupt and ask for 'B is for Burgler and the librarian responds "just a moment while I get that" again. 5/10— Joe Fitz (@securelyfitz) January 4, 2018
When you interrupt again, and say "I'd also like C is..." the librarian interrupts you to say ' oh I have that one right here on the cart!" 6/10— Joe Fitz (@securelyfitz) January 4, 2018
You say "Great! But actually I don't want any books. You can put all those back!" and write down 'C' in your notebook. 7/10— Joe Fitz (@securelyfitz) January 4, 2018
The dutiful librarian re-shelves all the books and then you repeat the process... For every single letter on every page in special book #1. The librarian is especially dutifully and luckily fast, so this only takes you a few moments. 8/10— Joe Fitz (@securelyfitz) January 4, 2018
— Joe Fitz (@securelyfitz) January 4, 2018
Let's try fixing it by having a separate shelf, reshelving rack, librarian, and line for the special collection. It solves the problem, but all the people who have access to and use the special collection complain about how it takes 5 to 30% longer to get their books. 9/10— Joe Fitz (@securelyfitz) January 4, 2018
So, the books are memory. The special collection is operating system or other programs memory. The reshelving rack is cache and/or register file. The librarian is the page management.— Joe Fitz (@securelyfitz) January 4, 2018
It's not a perfect analogy, but it describes it in non-technical terms. Feedback welcome. 10/10
How big of a deal is this? And will we be dealing with this for a while?
What devices do each of the flaws affect?
The Meltdown vulnerability is strictly a vulnerability for Intel processors.
The Spectre vulnerability affects all servers, workstation, and mobile devices, as well as operating systems like Windows, macOS, and Linux. Spectre was shown to work on Intel AMD and ARM processors.
Is my iphone or Android affected?
"All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS."
On the company's official blog, Google says that affected devices include:
- Android phones
- Google Apps like Gmail or Drive
- Google Chrome web browser
- Google Home smart speaker
- Google Chromecast
What, if any, of equipment will need replaced? What will need to be repaired?
Nothing will need to be replaced or repaied. Instead, updates will need to be ran. The downside is that after the updates, processors running at 1.0Ghz are likely to lose between 5-30% of their speed. As software updates/ patches are applied to your devices, you may or may not notice a drop in speed depending on your machine. However, if you have a lot of processing on your computer, then the software patches could put you over the edge and that would mean it's time to upgrade your computer.
What can I do to protect my data and organization?
Because this flaw is only an issue if malware is installed on your system, there are two important things to do:
1. Be Dilligent.
Use caution with what you install, or open on your machine. Train and educate your users to recognize suspicious sites and emails.
2. Allow For Updates.
Tech companies will have issues to fix on their end, although, this might mean you have to update your own device manually to allow those updates to take place.
In a statement, Microsoft said it was "aware of this industry-wide issue" and that it is working closely with Intel and AMD to keep users safe.
What is LIVE Consulting’ role in this?
We’re here as an adviser. We’ll update systems as patches come out for our managed clients, and keep you updated through the process. We are monitoring updates from our partners such as Sonic Wall and ESET and will post updates via email and this blog. If you have any specific questions, please ask!