On January 3, 2018, a group of researchers announced a series of vulnerabilities affecting nearly all microprocessors since 1995. Over the last several weeks, you’ve probably seen many dramatic articles proclaiming doom and gloom regarding Meltdown and Spectre. Even the names strike fear to your core as you conjure images of a digital apocalypse.
While there certainly were some grisly predictions early on, temperance is beginning to settle on the technical community as we realize exactly what these two vulnerabilities actually mean. The following is my summary of what Meltdown and Spectre represent to the majority of enterprises and some advice for how to handle this new set of vulnerabilities.
What exactly are Meltdown and Spectre?
Meltdown and Spectre are based on a memory vulnerability that affects practically anything with a processor. The technical term for the vulnerability is speculative execution. It’s a design flaw built into processors worldwide and allows a processor to speed up by attempting to predict what the various applications will need before they ask. What is supposed to happen is that applications that are running simultaneously are isolated from each other in memory. Meltdown and Spectre essentially break that isolation, allowing application data to be visible to other applications, namely, an application controlled by an attacker. Potential breaches may include passwords, encryption keys and other private application data.
Meltdown, solely an Intel vulnerability, is based on a mistake in the design of this speculative execution and can be fixed by a patch from the manufacturer. Spectre is trickier. It’s an inherent flaw in the technology itself and many researchers agree that the only solution is to create a new processor to replace the flawed one, something that is quite a few years away.
Is it time to panic?
You may be asking yourself, “doesn’t this warrant a little bit of panic?” I say no. First of all, researchers so far have not found any instance of either vulnerability being exploited “in the wild,” meaning against actual production machines. Secondly, the average consumer likely doesn’t have much to fear from either of these vulnerabilities. Due to the difficulty in executing an attack against these vulnerabilities, an attacker is extremely unlikely to focus on home computers, tablets and smartphones. Instead, the threat presents itself to larger enterprises and cloud providers.
Panic patching causes more problems than solutions
Ironically, the biggest threat comes not from the vulnerability, but the patch. Within a day of the announcement, various vendors around the world started issuing patches. However, these patches were so hastily created, it caused more problems than solutions in many situations. There is a term for this: panic patching.
The first problem that presented itself, related to Meltdown, was a general decrease in performance. Exactly how much of a decrease was hotly debated for several weeks until some testing by Microsoft showed that only computers running older versions of processors (2015 or earlier) were negatively affected by this slowdown. As a result, security professionals recommend that you carefully weigh the security benefits of the patch against the impact of the loss of performance by thoroughly testing the patch before putting it into production. There’s a direct relationship between the utilization of a device and the performance degradation—high utilization, high degradation; low utilization, low degradation.
The second problem, related to Spectre, caused a much bigger, and difficult to fix, issue. When the patch was installed, mysteriously, computers began to reboot randomly. Intel identified that this reboot issue was isolated to specific processor types. They recommend that if you are using these processors to avoid patching it. The good news is, for Windows, you have the ability to disable the update in the registry even after it has been installed. This will help avoid reboots until a future fix (if possible) can be found.
The third problem is related to Meltdown. Microsoft discovered that the patch issued to fix another Meltdown vulnerability caused the dreaded BSoD unless the Anti-Virus on your system was first patched. Microsoft now has a special registry key that A/V vendors can activate when they have completed their patch. Once the registry key is flagged, Microsoft will push the Meltdown patch through.
Your performance is unlikely to be impacted
Meltdown and Spectre are real but not found “in the wild.” The performance impacts to consumers and workstations are believed to be minimal and limited to older CPUs (2015 or earlier). Now that the patches have been analyzed and the issues identified, the general recommendation for consumers and workstations is to patch unless you have a specific reason not to (such as A/V not patched yet). Apple and Microsoft both have patches for their respective devices and operating systems. Linux also has some solutions to consider. Check with your respective distribution forums for more information.
For enterprises and cloud providers, there are some fixes available but you need to weigh the performance costs against the security benefits. If you find the performance losses are significant or if the performance risks outweigh the security risks, researchers and vendors recommend that you NOT patch, at least for now. Use Defense in Depth to secure where you can to reduce overall risk.
Never miss another article. Sign up for our newsletter.