The New Year has greeted us with the startling news of two recently announced vulnerabilities called Meltdown and Spectre. The root cause of the problem is related to technology designed to make your systems perform better. I’ll explain: CPUs spend most of their time essentially doing nothing. In the computing world, when end users complain about waiting for their PC because it is so slow, a common IT-staff rebuttal is that the computer spends way more time waiting for the user than the other way around. It may seem a bit snarky but it is an absolute fact. To improve performance and leverage this fact, back in the mid-1990s, CPU manufacturers developed technology that would allow the CPU to use all of this down time to increase perceived performance. How so?
Imagine one morning your significant other asks you to do two chores: Take out the trash and mow the lawn. You knock these out in about an hour but later that evening, they ask you to put a fresh garbage bag in the can and blow all of the lawn trimmings off the driveway. While waiting for you to finish this, he/she is not satisfied with how long it is taking because dinner is almost ready. But instead of waiting for that second set of instructions, what if you could have somehow predicted that these last two tasks would be asked of later after the first two were completed? You could have been using the downtime to go ahead and do the tasks but just not tell anyone or show the results. Then when those last two tasks were asked of you, you could proudly say they are already done. Your significant other will think you’re such a fast little worker but you’ve really been sitting on the sofa all afternoon. You could have even gassed up the mower so the next time the grass needs trimmed it will be done that much faster. It’s all about predicting what needs to be done next and using all of the time that nothing is being asked of you to go ahead and work on what might come next. In the computer world, it is called “speculative execution” and CPU manufacturers figured out how to develop the technology right down to the microchip level.
The security vulnerabilities are rooted in the freedom and flexibility at which the CPU manufacturers have allowed this to occur. Imagine you have hired a personal assistant to help you with some things in your office. You’ve asked them to sort through your receipts and complete your expense reports for the month. But your personal assistant is going to use speculative execution to improve performance which sounds like a great idea. So they assume that the next thing you’ll likely want done is for these receipts and expense reports to be filed away. Upon opening the file cabinet, they come across your tax returns from last year. Now they have access to sensitive information that they shouldn’t. You’ve been exposed to the potential for what is known as a speculative execution side-channel attack. This vulnerability is exactly what Meltdown and Spectre are but it’s happening right in the CPU of almost every computer or smart device made in the last 20 years. But don’t panic.
As with all hardware vulnerabilities, the only way to completely eliminate them is to fix the hardware. Which in the case of a CPU, means replacing it. The patches that are coming out from the operating systems and other software companies are going to restrict the type of speculative executions that are allowed on the underlying CPU. In some cases (or many cases depending on whom you ask), this is going to cause a performance degradation of the CPU. Meaning your PC could run slower than you’re used to. You’ve just told that personal assistant from my last analogy that all work is to be conducted in the break room and not to enter your office. This could lead to obvious inefficiencies which are bad for performance but better for security. But the real crux of the problem is that if the only solution (short of replacing the CPU) is software patches, doesn’t that mean that malware could be written to undo the software patches and then exploit this hardware vulnerability? That’s exactly what it means. But I’m still telling you not to panic.
At this time, these vulnerabilities are high-impact but low-probability in nature. This is mostly because the details of the vulnerabilities have only recently been exposed to the general public. But as information gets out and resourceful cybercriminals figure out ways of exposing the vulnerabilities, the probability of attacks will be on the rise. So the prudent thing to do at this time is be very proactive about patching your systems as security updates are released to mitigate the risk associated with Meltdown and Spectre. As time passes and malware is developed (most certainly already underway or completed by the time you read this) to leverage these vulnerabilities, this will be easily spotted and further mitigated by quality anti-malware solutions, but only if those systems and software stay up to date also. And last but not least, day zero attacks are always a possibility and loss of data could occur. So being sure that all critical systems are properly backed up should still be a top priority for your security team.
While the news of Meltdown and Spectre has been a huge story for early 2018, there is no need to panic. So continue to execute solid security practices by keeping all of your systems patched, utilizing a best of breed anti-malware solution, and backing up critical data, and everything will be just fine. Cheers, and Happy New Year.
Lead Security Engineer