Security researchers at Google this week made public two vulnerabilities in almost every modern processor shipped since 1995 that could allow attackers to steal passwords, encryption keys and other sensitive information.
The exploitation techniques, dubbed Meltdown and Spectre, both abuse “speculative execution” to access privileged memory—including memory allocated for the kernel—from a lesser-privileged process (such as a malicious app). A successful exploit of either technique would grant attackers access to private information such as passwords and encryption keys.
To better understand how a potential attack could unfold, it is important to first understand “speculative execution.” Speculative execution is a feature, not a bug (as the infamous IT quip goes) that has been used in processors for decades to improve speed by operating on multiple instructions at once using “guesses.”
To boost performance, the processor was designed to predict which path of a branch is most likely to materialize, and it will continue down that path, speculatively, even before the branch is completed. If the prediction is wrong, execution is halted and rolled back. If the prediction is accurate, execution takes advantage of the head start and continues down that path. The entire process is supposed to be invisible to software. However, as Google researchers proved, this is not entirely the case.
Meltdown and Spectre exploitation
An attack leveraging the Meltdown technique is the more likely of the two to succeed. It can enable a user process of the hacker’s choice to read kernel memory and exfiltrate passwords, encryption keys and other private data. But Spectre isn’t harmless either.
Like Meltdown, an attack exploiting the Spectre method can make items in kernel memory available to user processes by taking advantage of a time gap caused by a validity check during a memory access call.
How to protect against potential attacks
Since discovery, technology giants Intel, Microsoft, Apple and Google, as well as Linux developers, have rushed to deploy patches – or, at the very least, KB articles with instructions to mitigate risk and to keep an eye out for updates.
Linux kernel versions 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97 can be patched with a quick visit to Kernel.org.
Apple users should know that iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS do not require mitigation for Meltdown. However, the Spectre technique affects all Mac and iOS products and will require patching. The Cupertino-based company promises to “release them in upcoming updates of iOS, macOS, tvOS, and watchOS.”
The popular Firefox web browser has been blessed with fixes against Spectre and Meltdown. Mozilla Firefox version 57.0.4 includes mitigations for both vulnerabilities.
Google has promised a patch for Chrome users later this month, as part of the scheduled Chrome 64 rollout.
As far as the Microsoft / Windows ecosystem is concerned, things are a bit more complicated – especially if users are running an antivirus product.
System updates pending compatibility validation
Patches for this vulnerability published by operating system maintainers bring fundamental changes to the way the operating system kernel functions. Due to the nature of the emergency patches detailed in Advisory ADV180002 and the implemented changes, antimalware vendors (which interact with the operating system at an extremely complex and intimate level) were given no time to validate the security solutions against the new update at pre-release.
Microsoft has therefore added an update delay mechanism that puts antimalware vendors in control of the update process. For the update to be downloaded and released, the antivirus solution has to create a specific registry key once it has been proven compatible with the update.
Bitdefender is undergoing extensive engineering validation efforts on all updated platforms before delivering the final update that enables the installation of the hotfix. We have also set up two knowledge base entries for business and consumer products that will be updated with release dates and versions for the Bitdefender products as they get compatibility validation.