Meltdown Spectre Vulnerabilities
Richard Hutchings

About the author

Richard Hutchings: Chief Technology Officer at Littlefish



Share via:

Meltdown & Spectre Security Vulnerabilities

04/01/2018


You will have no doubt read this morning that two separate security flaws have been discovered by security analysts which potentially impact a large number of devices. Although these vulnerabilities are chipset related, they are officially defined as two separate vulnerabilities – known now as Meltdown and Spectre;

  • The Meltdown vulnerability affects laptops, desktop computers and internet servers with Intel chips.
  • The Spectre vulnerability potentially has a wider reach as it affects chips in smartphones, tablets and computers powered by Intel, ARM and AMD processors.

Littlefish is currently liaising with the major vendors (Microsoft, Apple, and Google) to gain a better understanding of the vulnerabilities and their anticipated security updates/solutions. At this stage the UK’s National Cyber Security Centre (NCSC) have stated that there was no evidence that the vulnerabilities have been exploited, however a key aspect here is to ensure that your security products are all up to date on both end-user and server platforms (Littlefish will continue to do this for customers across supported devices) and that your users remain vigilant when receiving emails or web browsing.

 

How Do Meltdown & Spectre work?

Meltdown & Spectre both exploit critical vulnerabilities in modern processors on personal computers, tablets, mobile devices and in the cloud, that allow access to data being processed by the computer. Malicious programmes are able to access data stored in other running applications – potentially including passwords, personal data and critical business data.

 

Meltdown

Meltdown Vulnerability Logo

Why is it called Meltdown?

The bug basically melts security boundaries which are normally enforced by the hardware.

 

About Meltdown

Meltdown was discovered and reported by three independent teams: Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz at Graz University of Technology, Werner Haas and Thomas Prescher at Cyberus Technology and Jann Horn at Google Project Zero. Computers with vulnerable processors running unpatched operating systems risk data exposure. By de-isolating user application and operating system and therefore allowing access to arbitrary system memory, malicious programmes can access the memory and therefore data of other running programmes and the operating system itself.

 

What is the CVE-2017-5754?

CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

 

Spectre

Spectre Vulnerability Logo

 

Why is it called Spectre?

The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

 

About Spectre

Spectre was uncovered by two independent teams: Jann Horn at Google Project Zero and Paul Kocher in collaboration with Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61). Harder to exploit but also harder to mitigate than Meltdown, Spectre risks data exposure from programmes that follow security best practise (best practices in fact make programmes more susceptible). By de-isolating applications from one another, Spectre tricks applications into accessing arbitrary memory locations, allowing attackers to force programmes to reveal data.

 

What are CVE-2017-5753 and CVE-2017-5715?

CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

 

The Extent Of The Risk

Meltdown potentially affects every Intel processor implementing out-of-order-execution – the majority of processors since 1995 – including desktop, laptop and cloud computers. Spectre has an even wider footprint – affecting almost every system from smartphone and tablets, to desktops, laptops and even cloud servers. With no traces left in traditional log files, you’re unlikely to detect if someone has exploited either vulnerability against you.

 

Is there a workaround/fix?

There are patches against Meltdown for Linux (KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre.

 

Which cloud providers are affected by Meltdown?

Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.

 

More Information – External Links



Read More
Littlefish Shortlisted CRN Channel Awards 2018

Littlefish Shortlisted For 25th Channel Awards

05/09/2018

Littlefish has been named in the 2018 ‘Managed Services Provider of The Year’ shortlist at the 25th CRN Channel Awards. Littlefish ...


Read More
Service Desk Engineer Roles Nottingham

The People Driving The Future of Business

02/08/2018

In today’s rapidly shifting landscape, Service Desk roles are a solid IT career foundation. 9:32pm on a Friday evening in the ...


Read More
Nottingham IT jobs

Meet the giant slayers

27/07/2018

There’s good reason for jobseeker optimism in Nottingham’s flourishing tech industry. Despite Nottingham having the lowest employment rate in the UK ...


Read More
Customer Experience Awards Finalists Littlefish

Littlefish Named 2018 UK Customer Experience Awards Finalist

05/07/2018

Littlefish is proud to announce it has been named a finalist in the 2018 UK Customer Experience Awards ‘Customer Centric ...


Read More

The Littlefish Digital Transformation Survey: Healthy Habits: Common IT issues

29/06/2018

In this increasingly digital world, where big business is data driven, IT is supposed to inform strategy and help reach ...


Read More
Holly Palmer ITSM Young Professional of The Year

Holly Palmer – ‘Young ITSM Professional of The Year’ winner

18/06/2018

Littlefish Service Desk Administrator Holly Palmer wins Young ITSM Professional of the Year at the ITSMF Professional Service Management Awards ...


Get in touch

Whatever your query or requirements, we’d love to hear from you.

Support: 0344 848 4441

Send us a message

  • At Littlefish we take your privacy seriously and want to be transparent about how we will use your data. We will process your personal information to provide you with services and information you request from us and to deal with your enquiry.

    By completing this form and providing us with your information, we believe you’re expressing an interest in our services: therefore we’d like to contact you in the future with other information, and about other services we offer, that we believe will be relevant and of interest to you and your organisation in a legitimate capacity.

    Read our full Data Protection & Privacy Statement here.


  • This field is for validation purposes and should be left unchanged.