In early January the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715) vulnerabilities were disclosed to the public. Both vulnerabilities could allow an exploit to leak sensitive data due to a CPU feature known as Speculative Execution.
To help optimize speed, a CPU will use its idle time to run computations for data that it believes will be called next. Modern CPUs have done an excellent job of predicting what will be called next, but sometimes this prediction is wrong. When this happens, the CPU discards the data and continues with the correct operation. However, the data remains in the CPU’s cache just in case the CPU needs to retrieve the data in the future. The data that remains can be sensitive in nature such as encryption keys or passwords.
LENSEC’s Senior Systems Support Engineer, Nick Stigers, says the exploits using the Meltdown vulnerability scan the CPU’s cache to reveal the data that’s been left behind. The Meltdown vulnerability affects Intel and some ARM powered machines, while AMD-equipped computers remain mostly unaffected. Stigers explains, “Meltdown exploits are easy to create by hackers, but they are also easy to mitigate via operating system and BIOS updates. “
Spectre exploits, on the other hand, are much tougher to create, but also more difficult to mitigate. Spectre works differently than Meltdown. Rather than finding ways to access the CPU’s cache directly, Stigers says Spectre targets applications installed on the device. According to Stigers, “In a nutshell, Spectre exploits trick applications into running unnecessary speculative actions and leak the data to the exploit. Spectre mitigation is more difficult since it targets any application and essentially all processors from AMD, ARM, and Intel are vulnerable.”
Exploits utilizing both vulnerabilities are designed to leak data and are not designed execute remote code such as installing malware or ransomware. It is also important to note that there are currently no known exploits that have been created to utilize either vulnerabilities, however, applying mitigation should be a top priority.
“Meltdown exploits are easy to create by hackers, but they are also
easy to mitigate via operating system and BIOS updates.”
Nick Stigers, LENSEC Senior Systems Support Engineer
A three-step approach is needed fully protect a device:
Operating System
Operating system updates greatly mitigate the Meltdown vulnerability. Microsoft has released security updates for Windows Server 2012 R2, Windows Server 2008 R2, Windows 10, Windows 8.1, Windows 7 operating systems. These updates are available via Window’s Update.
- Due to incompatibility issues with certain third party antivirus software, Microsoft requires a special registry key be present in order to receive the update via Windows Update. If the device is equipped with a compatible third-party antivirus or Microsoft product (i.e. Windows Defender), then this registry key should already exist. If the key is not present, then contact the antivirus manufacturer. If the device is not running antivirus, then the registry key will need to be set manually.
- Microsoft offers a handy guide for ensuring that the system has been updated and verifying that the protections have been enabled.
Hardware
A BIOS update is necessary to help mitigate Spectre vulnerabilities. HP and Dell initially released BIOS updates for their devices. They have both suspended them as of January 22nd at the recommendation of Intel. Both state that an updated BIOS for their devices will be available soon. For other manufactures, please contact the OEM BIOS manufacturer.
Web Browsers
The most probable access point for Spectre exploits would be through the web browser via malicious java script code. This code can be embedded in a web page or as part of a third-party ad on a page. Mozilla Firefox has implemented fixes in their latest version. Google is advising users to take advantage of security enhancements that are part of the Chrome browser. Security patches for Microsoft Edge and Internet Explorer have been released via Windows Updates.
If you are a LENSEC VAR partner or end-user customer and you want to learn more about how this affects your equipment in your physical security environment, please contact our tech support team for assistance.
CONTACT: LENSEC Technical Support
PHONE: (713) 395-0800 Option 1
EMAIL: [email protected]
