Early in December 2017, 3 researchers from the Graz University of Technology in Austria wrote and verified a computer program to test a theory about the safeguards of how computer’s central processors protect access to privileged data stored in memory. Their goal was to bypass the processor’s hardware barrier and letting unprivileged programs access memory belonging to other programs.
They had tested and verified the program and were consistently seeing information from emails, browser histories, and private conversations – all gained without having any computer permissions associated with that information. They called it “Meltdown” and notified Intel. They were not the first to discover the flaw that has been hidden in the processor since the mid 90’s. Others at Google’s “Project Zero” had reported it as well. At least 3 other groups, using several different approaches, had come across a similar flaw. They could also read private files, passwords, cryptographic keys belonging to other programs running on the same computer. This became known as Spectre.
Spectre exploits a technique used by processors to speed up the execution of programs. Instead of idling, the processors try to guess what the program is going to do next. If successful, the performance gains are significant. By tricking the processor into guessing in a predictable inaccurate way, researchers were also able to extract useful data from memory.
This “bug collision” (where several independent researchers uncover the same flaw in the same time period) is rare, but not unheard of.
The concerning issue with this flaw is that in modern cloud environments, there are many virtual computers that coexist on the same physical computer. This could lead to an unprivileged computer program running on virtual computer “A” (either built or compromised by a hacker) snooping on data used by a totally different virtual computer, and that other virtual computer may not even be owned by the same person that owns “computer A”.
The “Meltdown” bug only affects Intel processors – used by the majority of business environments, while the “Spectre” approach affects Intel as well as AMD (the alternative to Intel) and ARM (used in smartphones, tablets and IoT devices).
Intel says they are working on fixes, but fixing the design flaws in hardware is not that simple. The only real fix is to redesign the hardware from the ground up – something that can only be done in the next evolution of the processor. In the meantime, consumers will have to rely on workarounds and patches from vendors through their normal update processes like YUM and apt-get for Linux, and Windows Update for Microsoft. As I’ve suggested before, applying patches to Android-based mobile phones and tablets is problematic at the best of times.
The patching lifecycle is very long due to the number of different companies who have modifications to the original product. The fix is released by the Operating System (OS) vendor who then submits it onto the hardware vendors (e.g. Samsung, LG, Huawei, Sony) who check and verify that it doesn’t break any of their own firmware and software before passing it onto the Mobile Operators, who check that it doesn’t break any of their customizations, and then release it to consumers. iPhones have a slightly shorter life cycle as the OS vendor and hardware vendor are the same.
Microsoft has issued a response indicating that those customers applying the software patches via the normal update process may not get to see them at all – until the anti-virus solutions they employ indicate to Windows that they are at a minimum compatibility level. Unfortunately, the Windows patches may break some of the requests that anti-virus programs make to the operating system. These broken requests may cause computers to crash.
While there are no current exploits in the wild, the world is aware of these vulnerabilities. It may not be long before hackers come up to speed. This means patching the underlying server architecture (like VMWare ESX and Windows Hyper-V) is a priority, and then the virtual servers themselves. Terminal servers (remote desktops) should also be treated as a priority due to their end-user interaction and the good possibility of users browsing to compromised servers. This means inadvertently running infected web pages.
So, Intel inside, whose ready on the outside?