Many Bothans died to bring us this information.
Well, not really. No one died. And Bothans aren’t real. But two critical vulnerabilities have been discovered in Intel, AMD, and ARM processors that date back over two decades.
On Wednesday, January 3, it was publicly disclosed that Google had discovered the vulnerabilities. Dubbed “Meltdown” and “Spectre,” these weaknesses could be exploited by hackers to “read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications.”
This is not good. Virtually all PCs, laptops, tablets, and smartphones are affected, regardless of manufacturer or operating system. And it’s not just personal devices you need to worry about. Customer data on servers, data centers, and cloud platforms such as AWS, Azure, and Google cloud could be at risk as well.
Meltdown and Spectre work by taking advantage of the normal ways that Intel, ARM, and AMD processors work. They break down a fundamental isolation that separates kernel memory — core of the operating system — from user processes. According to Business Insider:
In the same way two precisely placed proton torpedoes could blow up the Death Star, so too can Meltdown and Spectre take advantage of a very specific design quirk and get around (or “melt down,” hence the name) processors’ normal security precautions.
“Given the sheer volume of chips deployed and in use, this certainly looks like a pretty serious problem,” says Aberdeen Vice President and Research Fellow Derek Brink. “The likelihood of a successful exploit is now very high, and the business impact from the exposure of personal data or passwords from kernel-memory locations could be significant.”
Luckily, there is no evidence that Meltdown or Spectre attacks have occurred to date, and many companies, including Intel, Amazon, Google, Apple, and Microsoft, are already rushing out fixes. Both Microsoft and Amazon have scheduled downtime for their cloud services in the coming days. However, these fixes will likely result in performance dips after the fixes are installed, sometimes as much as 30%, according to some reports.
Meltdown, as its name suggests, “melts down” the security boundaries typically held together by hardware. It can be guarded against with software updates. Spectre-based attacks, on the other hand, are more dangerous. They can trick apps into leaking their secrets by taking advantage of an integral part of how processors work. This means it could require a new generation of hardware to stamp it out for good.
”It isn’t yet clear whether the ultimate fix will require completely new hardware – or whether it might be addressed with an update to the microcode,” according to Brink. “In the meantime, software patches represent the best available way to reduce – although not eliminate – the risk from these classes of attacks.”
He goes on to say that “Specific vulnerabilities such as Meltdown and Spectre will continue to come and go. Although the headlines are likely to be about the technical details, the focus should actually be on the critical capabilities that organizations need to carry out these steps, including, visibility and intelligence into what they actually have in their infrastructure, systematic management of vulnerabilities and the patching process, and a holistic approach to identifying and managing risk. Establishing these types of critical capabilities will serve the business again and again over the long term.”
Phishing attackers hook virtually 100% of their victims within the first 24 hours. Learn how the Best-in-Class successfully protect their organizations’ email and websites in Derek Brink’s latest research report.