Icons Meltdown und Spectre

Alles über Meltdown & Spectre

What is behind Meltdown and Spectre and how does seculution protect?

Update 6/2018

It's quieter around Meltdown and Spectre. But there are always news and speculations about the danger that these still active and not completely patchable vulnerabilities might pose. Also due to the never-ending questions from interested parties and customers, here is another update on these gaps.
The information about this update comes from the podcast “Security now" by Steve Gibson, who provides the analysis tool “InSpectre” together with his company “Gibson Research Corporation”.

A fact that has remained: Spectre and Meltdown need malware on the computer:
[...] That suggests that you've got malware on your machine; right? So if you've got something malicious on your machine, it's game over anyway. [...] The only way to be infected is if something is running in your computer.”

If malware is already running on the computer anyway, the attacker does not need to use Meltdown or Spectre to do what attackers do: 
“[...] And so here on a personal workstation, if you've got something, you know, if you've got something that is in your system, the last thing it's going to do is use Meltdown and Spectre. It's just going to look around and do whatever it wants to.” 

In a typical corporate environment, this is not an issue, but rather a matter for hosters: 
“[...] The reason it's interesting for virtualized environments is that bad guys could deliberately be running malicious virtual machines, trying to get across into other virtual machines on the same hardware.” 

Even reports about browser scripts are no longer correct, because browser manufacturers have reduced the timer resolution for scripts so that meltdown attacks do not work:
“[...] There was some concern that maybe a malicious web page could do this. But web pages do not, you know, the timing information has already been fuzzed by other mitigations against other attacks. So web pages don't have the resolution - the code, the JavaScript running on a web page isn't a means into your system.” 

“Real” attacks don't seem to exist until today: 
“[...] And still six months later we've never seen this ever, ever used. [...] Even now, six months later, this is still a theoretical problem and is not practical.” 

Spectre and Meltdown are a problem for hosters, not for corporate networks or home users. Another fact that remains is that those who are worried are still 1,000 times better protected with seculution than with any other means.

Source: Gibson Research Corporation
More in the transcript of the podcast “Security now” Episode 668 on grc.com

Update 2/2018

Even more than a month after the Meltdown and Spectre vulnerabilities were revealed, a large number of hardware manufacturers and security researchers are still working on the issue. While the manufacturers, including Intel, are still busy developing and delivering patches, security researchers of all kinds are already writing exploit malware. The AV-Test virus test laboratory now counts almost 140 different malware versions that are supposed to attack the vulnerabilities.

“Malware makers are experimenting with malware that exploits the Spectre and Meltdown CPU bugs.

German antivirus testing firm AV-Test has identified 139 samples of malware that seem to be early attempts at exploiting the Meltdown and Spectre CPU bugs.

‘So far, the AV-Test Institute discovered 139 samples that appear to be related to recently reported CPU vulnerabilities. CVE-2017-5715, CVE-2017-5753, CVE-2017-5754,’ the company wrote on Twitter. 

The company has posted SHA-256 hashes of several samples that a check on Google's VirusTotal indicates is being detected by some antivirus engines.”

What you should know about Meltdown and Spectre

Microsoft, Linux, Google, and Apple began rolling out patches at the beginning of January 2018 addressing design flaws in processor chips named “Meltdown” and “Spectre” by security researchers. seculution informs on this page about the advantages of Application-Whitelisting in connection with these and other unknown vulnerabilities.

What is Meltdown?

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. 
Luckily, there are software patches against Meltdown.

What is Spectre?

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

How can seculution help?

Can seculution Application-Whitelisting protect against exploiting these vulnerabilities?
The security provided by seculution remains the same.
The exploitation of the Meltdown and Spectre vulnerabilities requires additional software, which must be run on the compromised computer. This malware is not known to seculution and is thus prevented from being executed by seculution. 

More details about Meltdown and Spectre

Modern processors are designed to prepare future computing operations by “speculative execution”. Processors become more powerful because they can “speculate” the expected functions, and by queuing these speculations in advance, they can process data more efficiently and run applications/software faster. However, this technique allows access to normally isolated data, so an attacker may be able to send an exploit that can access the data.

What are the implications?

Intel processors built since 1995 are reportedly affected by Meltdown, while Spectre concerns devices running on Intel, AMD and ARM processors. Meltdown is related to the way privileges are used. Spectre, on the other hand, allows access to sensitive data stored in the memory of the running application.

The potential impact is far-reaching: desktops, laptops and smartphones running on vulnerable processors can be exposed to unauthorised access and data theft. Cloud computing, virtual environments, multi-user servers - even in data centers and enterprise environments - that run these processors are affected.

In addition, patches released for Windows and Linux operating systems can reduce system performance by 5 to 30 percent, depending on workload.

Google's Project Zero has proof-of-concept (PoC) exploits that work against certain software. Fortunately, Intel and Google reported that they have not yet seen any attacks actively exploiting these vulnerabilities.

Do Patches fix Meltdown and Spectre?

Microsoft issued a security bulletin prior to the monthly patch cycle to address the vulnerabilities in Windows 10. Updates/fixes for Windows 7 and 8 were distributed on the regular patch day in January. Microsoft has also issued recommendations and best practices for clients and servers.

Google has published remedies for the affected infrastructure and products (YouTube, Google Ads, Chrome, etc.). A Security Patch Level (SPL) for Android has also been released, covering updates that can further limit attacks that could exploit Meltdown and Spectre. A separate security update for Android was also released on January 5. Note that patching to Android is split, so users must inform their OEMs of availability. Nexus and Pixel devices can download the update automatically.

Due to the complexity of the attack scenarios and the fact that there are only a few proof-of-concept exploits of Meltdown and Spectre, the patches do not protect against unknown attacks on Meltdown and Spectre.


Come to the light side

Learn to use the power of the whitelist to your advantage.

© Copyright 2019 seculution - All Rights Reserved