ADVISORY: Apply updates for computer chip vulnerabilities—Meltdown & Spectre

Thursday, January 4, 2018

1/23/18 update: Intel is recommending that people stop deployment of current versions and either help test new versions of an updated solution or wait for the new solution to be released: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners (Intel Newsroom, 1/22/18).

— — —

1/5/18 update: This Insitute for Advanced Study blog post, What I'm doing about Meltdown and Spectre, offers reassurance that, for most users, as long as you routinely update your devices and software, choose strong passwords, and run anti-malware software, there is no need to panic about these vulnerabilities.

— — —

This advisory was sent via email to the IT Security Community, Frontline Notify, Unix Admins, Windows Admins, MacSig, and www-sig groups on January 4, 2018.

Summary

Security vulnerabilities in computer chips made by Intel, AMD, ARM and others could allow low-privilege processes to access kernel memory that is allocated to other running programs. The vulnerabilities—called Meltdown and Spectre—could allow an attacker to access information including passwords, encryption keys, and more. Linux, Windows, Apple, and others have already released updates to begin addressing the vulnerabilities. Watch for updates from the manufacturers of your devices and operating system vendors and apply them as soon as possible after appropriate testing. IA is monitoring news and security reports.

Problem

According to Wired, "The theoretical attack, which takes advantage of quirks in shortcuts Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer. And on multi-user machines, like the servers run by Google Cloud Services or Amazon Web Services, it could even allow hackers to break out of one user's process, and instead snoop on other processes running on the same shared server."

Threats

There have been no reports of attackers exploiting the Meltdown and Spectre vulnerabilities. However, security researchers have released proof-of-concept code demonstrating methods of exploiting Meltdown and Spectre.

Affected Systems

Devices that include an affected chip or processor. This includes Intel chips, as well as those made by other companies.

  • Meltdown. Every Intel processor that implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). All modern processors capable of keeping many instructions in flight are potentially vulnerable.
  • Spectre. Almost every system is affected by Spectre, including desktops, laptops, cloud servers, smartphones, and so on. Spectre has been verified on Intel, AMD, and ARM processors.

Action Items

  • Apply operating system updates as they become available after appropriate testing. Microsoft, Apple, the Linux community, and others have already released updates that begin to address the vulnerabilities and may release more as researchers learn more about the vulnerabilities and their possible impact.
  • Apply other software updates as they become available after appropriate testing. Microsoft, Google, and Mozilla are all issuing patches for their web browsers, for example.
  • Apply firmware updates as they become available after appropriate testing.

MiWorkspace staff members are working with Information Assurance and will update MiWorkspace computers as soon as possible.

It has been reported that the software updates could slow performance, IA recommends they be installed nonetheless.

Technical Details

Meltdown and Spectre vulnerabilities exist in personal computers, mobile phones, and servers, both in and out of the cloud. Meltdown and Spectre exploit different aspects of the same vulnerability present in modern processors.

  • Meltdown. The Meltdown exploit breaks isolation between user applications and the user’s operating system. Using this attack, a malicious program can access memory secrets of other programs running in the operating system. Meltdown is easier to exploit than Spectre, but software updates for Linux, Windows and OS X that mitigate it are already available. There have been reports that Meltdown patches decrease processor performance. Slower CPU performance seems to be limited to specific use cases and has not been officially verified or confirmed. See Meltdown white paper (PDF) for details.
  • Spectre. The Spectre attack breaks down isolation between different applications. Attackers exploiting Spectre could trick running processes into leaking secrets. In some situations, CPU IT security measures could increase the attack surface and make applications more vulnerable to Spectre. Spectre is harder to exploit than Meltdown; however, mitigation is more difficult as well. Software patches have been released to address known exploits that can leverage the Spectre vulnerability. See Spectre white paper (PDF) for details.

Information for Users

MiWorkspace machines will be patched as soon as possible. If you have set your personal computer to automatically install updates, you will get the latest security patches as soon as they are available.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.

References