Spectre and Meltdown attacks, think the sky is falling?
Like most companies, Echoworx is aware of the recently announced vulnerabilities impacting most modern microprocessors. We wanted to take a minute to provide the following guidance on the Spectre and Meltdown attacks to ensure awareness of the issues and to inform you on the steps that Echoworx is taking to address them.
What are these attacks?
Spectre is actually two different vulnerabilities, and Meltdown is one. Both of these attacks exploit features of ‘modern’ microprocessors called ‘speculative execution’. Speculative Execution is a technique of prefetching data and pre-executing instructions in case they are needed. Basically if they are not needed, there are still remnants of the data in memory which can be read by other processes.
The Meltdown attack is the worst of the two in that it can reveal all of the computers memory, not just a few bits and pieces of it. Meltdown is also easier to exploit. Fortunately Meltdown is also easier to patch against. Spectre on the other hand is harder to exploit, reveals less, but is harder to address through patches. There are patches out for specific known exploits.
What is affected by these attacks?
“Modern” isn’t so modern… at least not in computer terms. Basically any Intel processor built since about 1995 would be impacted. Intel, AMD, ARM, processors and others are also impacted to varying extents. There are some reports that certain processors are not exposed to all of the vulnerabilities, but it is unclear if this is proven to be so, or just hasn’t been accomplished yet. It would be best to err on the side of caution.
What should you as an individual do on your personal devices?
You should always keep up to date with patches, and this case is no different. There are patches for Linux, Microsoft (Windows, Edge, IE), Apple (MacOS, iOS, tvOS, Safari), Android, Firefox, Chrome, and likely many other applications. Applying these will help to protect you.
You should also make sure that your Anti-Virus/Internet Security software is up to date. Microsoft has announced that their fixes might have compatibility issues with some anti-virus software. The patch for windows will not install if you have an outdated AV or one that is incompatible. I would update the AV software first, and then apply the MS patch.
Be aware that some of the fixes to this issue could cause a performance impact. There are some pretty wild estimates of how bad of an impact there could be, but the vendors I have seen have so far reported minimal impacts. For example, Apple reports a maximum of 2.5% against 1 benchmark for these fixes.
By David Broad CISSP, Information Security and Audit Lead, Echoworx