For those who haven’t seen anything about this yet, details of two new exploits that could enable malicious code on websites to trick your computer or mobile devices CPU into giving away private information such as website passwords have been made public.

Overview

Essentially the semiconductors industry has made a huge blunder and left a security design flaw in many CPUs such as are used in computers and mobile devices. It’s pretty serious - CERT The Cyber Emergency Response Team in the US originally recommended: "Throwing your CPU away and getting a new one" to be completely safe - they have now downgraded this advice to 'apply updates' which is much more helpful and realistic.

Vulnerabilities

The exploits are known as Side-Channel-Analysis exploits and work by taking advantage of a feature within the CPU architecture whereby, during idle period, the CPU tries to speculatively pre-fetch (guess) what information is going to be requested next, that information is then held in a cache (temporary storage area) ready to be used - what sort of work you are doing will alter how much pre-fetching is going on.

Part of the problem is that the CPU cache is accessible and it shouldn't be. Therefore, if an attacker (via malicious code on a website) can make the CPU think that certain information is likely to be needed soon, the information will get cached and can then be read by the attacker (information such as website passwords and usernames).

Meltdown exploit - this is the first type of CPU vulnerability and unfortunately is quite easy to use making it quite serious and likely to be encountered by lots of people - the flip side is that it's also relatively easy to address and patches are now available to do this for most operating systems - however, this comes at a cost - see below.

Spectre - This is the second type of exploit and can be done in two ways that have been termed variant 1 and variant 2 respectively.

Fortunately, both are difficult to exploit meaning a lower risk of encountering them but are also harder to address.

Variant 1 is a type of attack called a 'Bounds-bypass-check' and variant 2 is a type of attack called a 'Branch-target-injection' attack.

How they all work is too technical for this post but plenty of information is available online, if you're interested, but the end result is the same - a serious security flaw exists that will fundamentally alter how CPUs operate to fix the flaw.

Cost to CPU performance

I've mentioned that patches are available and applying these patches will, unfortunately, come at a cost - they will effectively dumb down the CPU's and MAY (not WILL) cause them to run slightly slower - the impact will depend on how much of the speculative pre-fetching is going on on each individual computer and as such can't easily be quantified in general terms, some sources suggest performance degradation of about 5%, others report 17% and some have reported 30%.

For our customers, we can't provide information beyond these figures and as these figures may not be representative of what our customers are doing, they may ultimately be meaningless and customers may not notice any significant performance degradation.

Advice

To ensure patches are applied quickly as they are released.
Do not allow websites to run untrusted code.
Google Chrome and Firefox web browser users can also enable an experimental feature called site isolation that will prevent one website from being able to access details of another which helps mitigate the problem significantly.

Available Patches

Patches are now available from VMware here: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

VMware patches for appliances: https://kb.vmware.com/s/article/52264

Bitdefender real-time compatibility information and patches: http://bit.ly/2CWjthr

Useful Links

Where VMware will release any updates regarding Meltdown and Spectre: https://kb.vmware.com/s/article/52245

The article below from the Register has some more details and there are a few other articles I’ll add as replies to this post:https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/

A subsequent Register post gives some more information: https://www.theregister.co.uk/2018/01/05/spectre_flaws_explained/

Enable Site Isolation in Google Chrome: https://www.bleepingcomputer.com/news/google/heres-how-to-enable-chrome-strict-site-isolation-experimental-security-mode/

Enable Site Isolation in Firefox: https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/

Advice for MacOS and iOS users: https://m.imore.com/meltdown-spectre-faq

Advice for Android users: https://www.google.co.uk/amp/s/www.androidauthority.com/meltdown-spectre-kpti-827527/amp/

Tips on how to mitigate the risk: https://www.renditioninfosec.com/files/Rendition_Infosec_Meltdown_and_Spectre.pdf

Mar 25, 2024

Essential Tips for Mastering Microsoft Loop

In this episode, we're unravelling the mysteries of the latest Microsoft 365: Loop. Join us as we equip you with all the essential details to transform from a Loop novice to a Loop legend.

Feb 5, 2024

The power of Copilot: tips, tricks and real world wins

Join us as we explore the innovative world of Copilot, diving into its various versions, standout features, and the benefits they bring. Consider this episode your guide to integrating Copilot seamlessly into your organisation, equipped with essential tips on data governance and organisation-wide templates.

Oct 2, 2023

Navigating the Modern Management Maze: A Deep Dive into Intune and Autopilot

In this tech-packed conversation, we demystify the intricacies of modern management and unveil the power duo – Microsoft Intune and Windows Autopilot.

Blog

Meltdown and Spectre CPU Exploits

Overview

Vulnerabilities

Cost to CPU performance

Advice

Available Patches

Useful Links

Read more of our blog posts below...

Define Tomorrow™

Our latest blog posts