There’s been some buzz in the news lately about a handful of new security vulnerabilities. What’s interesting about these vulnerabilities to me, as a security researcher, is the nature of the root cause: it’s not a problem with an application or even an operating system, but a feature built into modern CPUs.
Even extremely technically savvy folks have struggled a bit to grasp the details of this flaw. Here’s the explanation I used when describing the issue to my mother:
See, mom, when programs are run on your computer or phone, they store data they’re using in memory. One program’s memory typically can’t be accessed by another program – they are kept separate for security reasons.
Now some CPUs want to try to make your programs run faster by executing some instructions that may never be used – they’re a part of “if this, then do that” branching code. The results of the instructions that aren’t used are routinely discarded. But in some cases, the results can be copied from a “side channel” before they are discarded. Some of these results may just be junk data, but some of it may be valuable – like a password or a credit card number.
The copying of this data shouldn’t be allowed because, as I’d said earlier, one program shouldn’t be able to see another program’s memory. But this flaw allows any program to get to this side channel and copy this data. Bad guys can use this to look for secrets that they ordinarily wouldn’t be able to see.
What’s that? You don’t care about any of this? You just called to talk to your granddaughter? Oh.
The researchers who have discovered this flaw in “speculative execution” found a few ways to exploit it to gain access to sensitive data. These techniques have been affectionately referred as Meltdown and Spectre.
It’s important to note a few things about these vulnerabilities. Let’s cover the bad news first.
Meltdown and Spectre were discovered by researchers working independently from each other – so it’s certainly possible that state-sponsored attackers have also uncovered these techniques, but kept it quiet so that the attackers could use them. On their own, these techniques leave no evidence of exploitation, so we can’t really know if they’ve been used. And while operating systems and applications can protect against the attacks with software patches, the flaws are in the operation of the CPUs themselves. Fully resolving the problem will require CPU manufacturers to change how their products function.
The good news: this vulnerability, while serious and resulting in information disclosure and privilege escalation, does not allow code execution. An attacker must already be able to run code on the victim machine on which they intend to use these techniques. And patches have been released for most vulnerable OS and browser platforms, although they have created some compatibility and performance issues.
Also, don’t let the clever branding distract you. In addition to the announcement of Meltdown and Spectre last week, critical vulnerabilities and exploits were also announced for Mac OS X, Cisco IOS, and VMWare vSphere. Good vulnerability management means you need to be aware of all of the flaws in your environment, not just the ones with cute logos.
So, at the moment, our guidance around any security vulnerability continues to be: patch! Monitor your network for suspicious activity and investigate. Ensure that only authorized code can run on your endpoints. And remember to call your mother often.