It’s recently been revealed that a design flaw in basically all of the world’s microprocessors can be exploited, allowing attackers access to sensitive data like passwords.
The two exploits, named Meltdown and Spectre, were discovered by researchers from Google Project Zero in June 2017, but because of their very nature, the flaws could have been around for over a decade.
These vulnerabilities are different to other recently discovered tech vulnerabilities because these are flaws in hardware. Exact details of the way in which the exploits work have been kept quiet by Intel, but researchers have stated that the bug lies within the way in which the microprocessor hardware was originally designed.
Both Meltdown and Spectre are exploits of ‘speculative execution’. Speculative execution is a concept that processor manufacturers use to increase performance speeds. It works by allowing the processor to predict what it will need to do next. If the processor’s guess is correct, then performance is quicker, and that’s why manufacturers use this method. If the guess is incorrect, then the instruction is supposed to be reversed. However, when a predicted instruction is reversed, some data remains in the cache. This is the data that can be accessed by the Meltdown and Spectre exploits, and would theoretically allow potential attackers to read system memory.
With this in mind, at Fasthosts we have already set in place preventative measures and are working diligently with our technology partners to ensure that we use everything at our disposal to ensure that our customers remain unaffected from this exploit.
Last year's WanaCry ransomware attack exposed a bug in older versions of the Windows operating system, the solution was simple: Microsoft fixed the flaw, and rolled out an update. With the new Meltdown and Spectre vulnerabilities the solution is not so simple.
Meltdown only affects processor chips built by Intel, so, considering Intel’s market share, could affect 80% of PCs worldwides. Spectre, on the other hand, affects Intel, AMD, and Arm processor chips, so will also affect smartphones and servers as well as personal computers. So that’s, at a guess, 10 billion devices affected?
Where the fix gets complicated is in the fact that it’s a hardware design flaw, not a software flaw. The only way Intel, and other manufacturers, can fix this design flaw is by getting rid of it in their next generation of processors. So that either means a complete recall of every single device on the planet, or they just let everyone wait around for the next three years whilst Intel fix the problem, and everyone buys new devices with new exploit-free hardware. Either option sounds unfavourable to me.
So, although there is no immediate fix, there is a solution that kind of works around the Meltdown exploit, rather than fixing it. Operating system providers like Microsoft with Windows and Apple with macOS, as well as the open source Linux community, are already beginning to roll out updates that work around the discovered flaw with the processor chips.
The patch, provided by the people who discovered the problem, is through a method called kernel page table isolation (KPTI) which safeguards the memory stored in the kernel of the processor. This patch negates the flaw exposed by Meltdown, but could result in reported performance slowdowns of up to 30%.
It should be noted that there is no workaround for Spectre, and the only real fix is ‘wait for new processors and don’t click any dodgy links’, but the Spectre exploit is also much more difficult for an attacker to execute.
The immediate reaction to the news was, naturally, outrage. Effectively, the reason for this flaw is because of the ever-growing competition between chip manufacturers, and their speed vs security dilemma. Processors are always designed to be faster and faster, and that’s why Intel made use of the speculative execution method. That decision is ultimately what caused the Spectre and Meltdown vulnerabilities.
It opens a wide discussion of the speed vs security topic, especially considering that some users can expect to see an up to 30% decrease in post-patch performance speeds. By choosing speed, chip makers failed to ensure that their design was secure.
On the day the news broke, Intel’s stock price plummeted, whilst competitors AMD saw their share price rise by 5%, but perhaps investors weren’t aware that the Spectre branch of the exploit also affected AMD processors. However, AMD state that there is a ‘near zero’ risk of exploitation – this statement is refuted by the researchers who originally found the Spectre vulnerability.
Intel have also fought back against claims, and said in a statement that they believe “these exploits do not have the potential to corrupt, modify or delete data.” Although that may be true, the exploit does have the potential to steal the data, and that’s probably just as bad. The statement also said “reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect.” This is perhaps their way of passing along some of the blame, by reminding people that their competitors AMD and Arm are also affected. But whether they want to call it a bug or a ‘complete and catastrophic oversight in architectural design’ is still up for debate.
Google researchers informed Intel that they’d discovered the flaw in June 2017. Original public disclosure was scheduled for the week beginning 8th January 2018, but the news was leaked, and Intel had to admit to it and release the statement a week early.
It is, in my opinion, interesting that at the end of October 2017 – five months after Intel were informed of the bug – Intel’s own CEO sold a reported $39 million worth of shares in the company. An Intel spokesperson has denied that the stock-dump was related to the discovery of the security vulnerabilities, but it is, at the very least, interesting.
For now, and as always, the best way to ensure that you as a user are protected is to install operating system and browser updates as soon as they become available. Teams at Microsoft, Apple, Google and Mozilla are working to ensure that the provided workaround keeps web users, and their data, safe. Operating systems have either already been patched, or are close to it, and whilst web browsers like Chrome and Firefox work on a full-browser patch, they’ve suggested that users enable strict site isolation.
Chrome users can enable strict isolation by typing chrome://flags/#enable-site-per-process into their browser, and Firefox users can go to about:config?filter=privacy.firstparty.isolate