For those who haven’t seen anything about this yet, details of two new exploits that could enable malicious code on websites to trick your computer or mobile devices CPU into giving away private information such as website passwords have been made public.
Essentially the semiconductors industry has made a huge blunder and left a security design flaw in many CPUs such as are used in computers and mobile devices. It’s pretty serious - CERT The Cyber Emergency Response Team in the US originally recommended: "Throwing your CPU away and getting a new one" to be completely safe - they have now downgraded this advice to 'apply updates' which is much more helpful and realistic.
The exploits are known as Side-Channel-Analysis exploits and work by taking advantage of a feature within the CPU architecture whereby, during idle period, the CPU tries to speculatively pre-fetch (guess) what information is going to be requested next, that information is then held in a cache (temporary storage area) ready to be used - what sort of work you are doing will alter how much pre-fetching is going on.
Part of the problem is that the CPU cache is accessible and it shouldn't be. Therefore, if an attacker (via malicious code on a website) can make the CPU think that certain information is likely to be needed soon, the information will get cached and can then be read by the attacker (information such as website passwords and usernames).
Meltdown exploit - this is the first type of CPU vulnerability and unfortunately is quite easy to use making it quite serious and likely to be encountered by lots of people - the flip side is that it's also relatively easy to address and patches are now available to do this for most operating systems - however, this comes at a cost - see below.
Spectre - This is the second type of exploit and can be done in two ways that have been termed variant 1 and variant 2 respectively.
Fortunately, both are difficult to exploit meaning a lower risk of encountering them but are also harder to address.
Variant 1 is a type of attack called a 'Bounds-bypass-check' and variant 2 is a type of attack called a 'Branch-target-injection' attack.
How they all work is too technical for this post but plenty of information is available online, if you're interested, but the end result is the same - a serious security flaw exists that will fundamentally alter how CPUs operate to fix the flaw.
Cost to CPU performance
I've mentioned that patches are available and applying these patches will, unfortunately, come at a cost - they will effectively dumb down the CPU's and MAY (not WILL) cause them to run slightly slower - the impact will depend on how much of the speculative pre-fetching is going on on each individual computer and as such can't easily be quantified in general terms, some sources suggest performance degradation of about 5%, others report 17% and some have reported 30%.
For our customers, we can't provide information beyond these figures and as these figures may not be representative of what our customers are doing, they may ultimately be meaningless and customers may not notice any significant performance degradation.
- To ensure patches are applied quickly as they are released.
- Do not allow websites to run untrusted code.
- Google Chrome and Firefox web browser users can also enable an experimental feature called site isolation that will prevent one website from being able to access details of another which helps mitigate the problem significantly.
Patches are now available from VMware here: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
VMware patches for appliances: https://kb.vmware.com/s/article/52264
Bitdefender real-time compatibility information and patches: http://bit.ly/2CWjthr
Where VMware will release any updates regarding Meltdown and Spectre: https://kb.vmware.com/s/article/52245
The article below from the Register has some more details and there are a few other articles I’ll add as replies to this post:https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/
A subsequent Register post gives some more information: https://www.theregister.co.uk/2018/01/05/spectre_flaws_explained/
Enable Site Isolation in Google Chrome: https://www.bleepingcomputer.com/news/google/heres-how-to-enable-chrome-strict-site-isolation-experimental-security-mode/
Enable Site Isolation in Firefox: https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/
Advice for MacOS and iOS users: https://m.imore.com/meltdown-spectre-faq
Advice for Android users: https://www.google.co.uk/amp/s/www.androidauthority.com/meltdown-spectre-kpti-827527/amp/
Tips on how to mitigate the risk: https://www.renditioninfosec.com/files/Rendition_Infosec_Meltdown_and_Spectre.pdf