Guest Post: More On Meltdown and Spectre vulnerabilities From ISA

By Bryan Pollitt, Vice-President, Professional Services at ISA

These vulnerabilities are different than most we see, because they are tied to hardware and not to an application or operating system. Hardware vulnerabilities are far rarer. The Meltdown and Spectre vulnerabilities that were discovered by a team of independent researchers including Google’s Project Zero are likely to be the worst processor bugs ever discovered.

The first of these vulnerabilities has been dubbed “Meltdown” because it essentially melts the security boundaries normally enforced by hardware. It takes advantage of a feature on almost all modern processors called “speculative execution” or “out-of-order execution” which allows the processor to execute instructions in a non-sequential manner so that the CPU spends less time idle. It leverages a race condition between instruction execution and privilege checking in order to read memory mapped data that it should not be able to.

The second of these vulnerabilities is called “Spectre” which has been described by researchers as a whole class of potential vulnerabilities in modern processors. Spectre focuses on “branch prediction”, which is a part of speculative execution. Unlike the Meltdown vulnerability, Spectre does not rely on a specific feature of the processor memory management and protection system. It is a more generalized idea that has so far been demonstrated to work against user level programs.

Since the vulnerabilities were made public this week, we’ve been working with our clients to help them understand what they can do to secure themselves. The key point here is these vulnerabilities make attacks very hard to detect. It’s very difficult from a forensics perspective to see an attack was successful.

In order to take advantage of the vulnerabilities, a cybercriminal would need a user’s device to run code. One way an attacker might execute code is to get someone to browse a website the attacker set up that uses Javascript. If an organization runs Web filtering technologies, it should strengthen policies around what sites users can visit to prevent them from visiting known bad sites, or unknown sites. Many organizations have very liberal policies on their Web filtering that don’t offer strong protection.

Organizations should also be more diligent around their e-mail policies. For example, HTML e-mail should not automatically resolve the URLs in e-mail messages. Users should also be told not to run attachments unless they are certain they are safe. It’s key that organizations ensure executable code that takes advantage of the vulnerabilities does not get into their environment.

In terms of remediation, Microsoft has released a security patch for all currently supported Windows versions to address the Meltdown vulnerability. We recommend organizations test and deploy the patch as soon as possible.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: