A fact that has remained: Spectre and Meltdown need malware on the computer:
“[...] That suggests that you've got malware on your machine; right? So if you've got something malicious on your machine, it's game over anyway. [...] The only way to be infected is if something is running in your computer.”If malware is already running on the computer anyway, the attacker does not need to use Meltdown or Spectre to do what attackers do:
“[...] And so here on a personal workstation, if you've got something, you know, if you've got something that is in your system, the last thing it's going to do is use Meltdown and Spectre. It's just going to look around and do whatever it wants to.”In a typical corporate environment, this is not an issue, but rather a matter for hosters:
“[...] The reason it's interesting for virtualized environments is that bad guys could deliberately be running malicious virtual machines, trying to get across into other virtual machines on the same hardware.”Even reports about browser scripts are no longer correct, because browser manufacturers have reduced the timer resolution for scripts so that meltdown attacks do not work:
“[...] There was some concern that maybe a malicious web page could do this. But web pages do not, you know, the timing information has already been fuzzed by other mitigations against other attacks. So web pages don't have the resolution - the code, the JavaScript running on a web page isn't a means into your system.”“Real” attacks don't seem to exist until today:
“[...] And still six months later we've never seen this ever, ever used. [...] Even now, six months later, this is still a theoretical problem and is not practical.”Summary:
Spectre and Meltdown are a problem for hosters, not for corporate networks or home users. Another fact that remains is that those who are worried are still 1,000 times better protected with seculution than with any other means.
“Malware makers are experimenting with malware that exploits the Spectre and Meltdown CPU bugs.
German antivirus testing firm AV-Test has identified 139 samples of malware that seem to be early attempts at exploiting the Meltdown and Spectre CPU bugs.
‘So far, the AV-Test Institute discovered 139 samples that appear to be related to recently reported CPU vulnerabilities. CVE-2017-5715, CVE-2017-5753, CVE-2017-5754,’ the company wrote on Twitter.
The company has posted SHA-256 hashes of several samples that a check on Google's VirusTotal indicates is being detected by some antivirus engines.”
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.
Luckily, there are software patches against Meltdown.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
Intel processors built since 1995 are reportedly affected by Meltdown, while Spectre concerns devices running on Intel, AMD and ARM processors. Meltdown is related to the way privileges are used. Spectre, on the other hand, allows access to sensitive data stored in the memory of the running application.
The potential impact is far-reaching: desktops, laptops and smartphones running on vulnerable processors can be exposed to unauthorised access and data theft. Cloud computing, virtual environments, multi-user servers - even in data centers and enterprise environments - that run these processors are affected.
In addition, patches released for Windows and Linux operating systems can reduce system performance by 5 to 30 percent, depending on workload.
Google's Project Zero has proof-of-concept (PoC) exploits that work against certain software. Fortunately, Intel and Google reported that they have not yet seen any attacks actively exploiting these vulnerabilities.
Microsoft issued a security bulletin prior to the monthly patch cycle to address the vulnerabilities in Windows 10. Updates/fixes for Windows 7 and 8 were distributed on the regular patch day in January. Microsoft has also issued recommendations and best practices for clients and servers.
Google has published remedies for the affected infrastructure and products (YouTube, Google Ads, Chrome, etc.). A Security Patch Level (SPL) for Android has also been released, covering updates that can further limit attacks that could exploit Meltdown and Spectre. A separate security update for Android was also released on January 5. Note that patching to Android is split, so users must inform their OEMs of availability. Nexus and Pixel devices can download the update automatically.
Due to the complexity of the attack scenarios and the fact that there are only a few proof-of-concept exploits of Meltdown and Spectre, the patches do not protect against unknown attacks on Meltdown and Spectre.
