After a rollercoaster day of speculation on Jan. 3 about a severe Intel chip flaw, Google’s Project Zero research team revealed later that same day details about the CPU vulnerabilities.
The CPU flaws have been branded as Meltdown and Spectre and have widespread impact across different silicon, operating system, browser and cloud vendors. The Meltdown flaw, identified as CVE-2017-5754, affects Intel CPUs. Spectre, known as CVE-2017-5753 and CVE-2017-5715, impacts all modern processors, including ones from Intel, Advanced Micro Devices and ARM.
“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory, consequently, applications can access system memory,” the Meltdown attack advisory states. “Spectre tricks other applications into accessing arbitrary locations in their memory.”
Nearly every Intel processor shipped since 1995 is at risk from Meltdown. The flaw is in how memory isolation works on Intel CPUs, despite the use of mechanisms such as Address Space Layout Randomization (ASLR), which is widely used in all modern operating systems. Linux kernel developers started working on a patch for the issue in November 2017, dubbing it Kernel Page Table Isolation (KPTI) and the fix KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed).
While speculation about Meltdown was present before the official disclosure, there were few public indications about the Spectre issues, which are potentially significantly more troublesome. The Spectre flaws abuse a CPU function in modern processors that use something known as “speculative execution” to maximize chip performance.
“Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary,” the 16-page research paper on Spectre stated.
At present, it’s not known if attackers have used either the Meltdown or Spectre vulnerability to exploit users. Perhaps even more worrisome, according to researchers, is that the exploitation of Meltdown or Spectre doesn’t leave any evidence in traditional log files.
“The name [Spectre] is based on the root cause, speculative execution,” the meltdown attack advisory stated. “As it is not easy to fix, it will haunt us for quite some time.”
One of the potential attack vectors for Meltdown and Spectre is via web browsers running on vulnerable systems.
“Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins,” Luke Wagner, software engineer at Mozilla, wrote in a blog post. “The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes.”
Google is also working to provide new protections in its Chrome browser to help protect against Meltdown and Spectre. There is an optional feature now in Chrome called “Site Isolation” that can help to protect users.
“With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process,” a Google Chrome advisory stated.
What Users Should Do
While the Meltdown and Spectre issues are dangerous, there are currently patches available to help mitigate the risks of both flaws.
Microsoft had originally intended to include patches as part of its regularly scheduled Patch Tuesday update on Jan. 9, but it released out-of-band patches on Jan. 3, which are now available to users via the regular Windows Update mechanism. The update is currently only automatically available for Windows 10 users, with Windows 7 and 8 getting the automated update on Jan. 9.
Major cloud providers including Microsoft Azure, Amazon Web Services and Google Cloud have already updated their platforms with patches to help mitigate Meltdown and Spectre risks.
The upstream Linux kernel has already patched for the issues as well, and multiple Linux distributions including Red Hat, SUSE and Ubuntu have provided updates to their users. Although Linux does have mitigations in place, Linux creator Linus Torvalds is among those who aren’t entirely convinced that software will fix all the issues.
“I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed,” Torvalds wrote in a mailing list message.
Torvalds isn’t the only one who believes something more than software patches is needed to fully resolve Meltdown and Spectre. CERT also sees the root cause as being hardware-related, with software only providing mitigations.
“The underlying vulnerability is primarily caused by CPU implementation optimization choices,” CERT warned in an advisory. “Fully removing the vulnerability requires replacing vulnerable CPU hardware.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.