Understanding the Meltdown & Spectre attacks
Last updated: 8th January 2018, 2:30PM
This guide will cover the following points:
- What the Meltdown and Spectre exploits are, and how they differ
- Who is affected, and to what extent
- Mitigation
- FAQ and considerations
- Other sources of information
What are Meltdown and Spectre, and what is the difference between the two?
From meltdownattack.com:
“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
Meltdown and Spectre (or “SpecDown”) are both flaws that permit an application to read privileged memory; the difference is that Meltdown can be exploited from a program and Spectre can be exploited by other programs. Think of Meltdown as the sword and Spectre as the gap in the armour; Meltdown will be (or has been) used to target software which, owing to its design, is vulnerable to Spectre.
Who is affected by these exploits?
Both bugs are found at the hardware-level within the processor. Intel’s chips are the most widely vulnerable; however, devices carrying AMD and ARM chips are susceptible too, along with Apple’s A-series of chips. While a list of every affected chip is not immediately available, reports are available indicating that Intel’s design flaw dates back to 1995.
Every OS is affected. Linux’s KPTI (formerly KAISER) has been updated to mitigate the attacks; macOS has been hardened as part of its 10.13.2 and Windows has had a series of patches earmarked as “2018-01” released. This is only half of the solution, however; please read below.
How can I deal with this?
As Meltdown and Spectre are two different vulnerabilities affecting both Hardware and Software between them, there is no single mitigation step that can be taken to guarantee complete protection against these issues. As such, the following guide should be followed carefully with attention paid to your particular setup and workflow.
Update OS – macOS: Use the “Install recommended updates on OSX [MAC]” component available from the ComStore to update your Mac devices to 10.13.2. Your devices must be capable of running this version of macOS; Apple have not provided any solution for older devices. You will need to reboot your endpoints after installing the update in order to apply it.
Update OS – Windows: Microsoft are publishing patches for SpecDown as part of their January cumulative update (legacy term: “rollup”). These patches are only being supplied for supported operating systems. As such, please only expect Microsoft patches for:
- Windows 7 SP1 (not SP0)
- Windows 8.1 (not 8.0)
- Windows 10
- Complete list (Windows Update Catalog)
To apply this update, follow these directions:
- Set up a Patch Management policy (or amend your existing one)
- Set up a new Approval filter: [Title] [Begins with] [2018-01]
- Set the policy to target your Windows devices
- Audit the devices targeted by the policy
- Once audit data has been returned, run the policy.
Please note that there are certain circumstances where a Microsoft OS will not view the 2018-01 update despite appearing to meet all the requirements; the SpecDown fix alters the manner in which Windows works, and this can potentially cause issues with Antivirus suites. As such, a registry value is required to activate a device’s applicability for the patch – antivirus operators have been instructed to furnish this value and Microsoft’s own Windows Defender will produce it automatically. If this key has not been set, a device will not view itself as applicable for the patch and, thus, the patch will not show in update scans.
Please read here for more information on this registry value, but be aware that setting it manually may cause Antivirus suites to trigger bluescreens and destabilise systems. AEM do not recommend setting this value manually. You may need to get in touch with your Antivirus vendor personally if you note this registry value to be absent on otherwise applicable systems.
Update BIOS/uEFI: For macOS systems, the OS and the uEFI boot routine are part of the same ecosystem, so one patch should mitigate everything. For Windows, however, things are a touch more complicated.
As SpecDown is a hardware-level flaw, patches must be dealt with in the microcode of the processor. This is accomplished with a patch that must be applied directly to a device’s BIOS or uEFI chip.
Please contact the website for your motherboard manufacturers to obtain individual patches for the devices in your ecosystem. Due to the fragile nature of such operations, AEM will not be offering support in this department; we advise users follow the directions posted by their device vendors.
FAQ and Considerations
We appreciate that users will have questions about this. This list will be updated as required.
- What is “SpecDown”?
- “SpecDown” is a short-hand name for Spectre/Meltdown.
- Are Microsoft providing patches for Windows XP or Server 2003?
- As of the time of writing, Microsoft have only committed to providing patches for supported operating systems, the list of which begins with Windows 7 SP1. As such, there are currently no patches for Windows XP or Server 2003.
- Can the BIOS patches be applied via component?
- AEM strongly recommend against conducting any hardware-level activity, such as flashing a BIOS/uEFI chip, via the product. Given the incredibly sensitive nature of such a procedure, a level of oversight on the individual device level is required which AEM cannot provide. AEM will not be providing support for devices that suffer issues due to a BIOS/uEFI patch that was applied via the AEM software.
- What if I do not use AEM patch management?
- Windows security relies on security patches being applied regularly as soon as possible. Users who do not make use of AEM patch management should use whatever auxiliary patch management system they are employing to keep their devices patched to install the 2018-01 patches on their applicable devices.
- Are Android and iOS affected?
- Yes.
- What can I do if my hardware is not being provided with a BIOS/uEFI patch?
- Ensure that your software is kept up-to-date via OS updates and exercise caution around new software. If you use an Antivirus suite or Windows Defender, keep it up-to-date.
- Do the patches cause performance degredation?
- Yes, unfortunately. The issue (particularly with Spectre) relies on a processor technology called “speculative execution”, a technology which improves performance. In resolving the flaw around speculative execution, the patches also make the technology less-effective, which can cause a performance hit, particularly when handling system calls. Estimates vary, but official Intel statistics say syscall-heavy tasks should expect a hit of around 30%.
Other sources of information
Please consult the following sources for more information on SpecDown and mitigation:
- https://meltdownattack.com/
- The Register advisory regarding AMD Opteron, Athlon and Turion processors and the KB4056892 patch
- Microsoft Forum post regarding the above issue
- Microsoft Update Catalogue page showing all 2018-01 patches
- Google Docs spreadsheet detailing Antivirus compatibility with the 2018-01 patch (Thanks @GossiTheDog on twitter)