SingCERT has advised computer users to monitor AMD, ARM and Intel websites for the release of
security patches and update to the latest patch as soon as possible in the wake of the announcement of two critical vulnerabilities dubbed Meltdown and Spectre on January 3 US time. While the vulnerabilities affect hardware, the wider ecosystem is also affected.
The vulnerabilities had been discovered earlier and were originally meant to be disclosed together with patches on January 9; patches and announcements have since been brought forward as a result of media reports and fears that the vulnerabilities will be exploited. "Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports," the company said in a statement online.
The vulnerabilities involve a technique called speculative execution and affect operating systems, computers, smartphones, tablets and cloud services. They enable attackers to steal data on the computer, such as passwords, and were reported by Google Project Zero as well as by the Graz University of Technology. In the case of cloud services, Google has said in a blog post that an attacker on one virtual machine can "access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host".
Meltdown (CVE-2017-5754 - rogue data cache load) allows attackers to bypass the boundaries between user applications and the operating system. Applications should not be able to access information from operating system memory, but with Meltdown, cybercriminals can get access to sensitive data from other software. Meltdown only affects Intel processors.
Spectre (CVE-2017-5753 - bounds check bypass - and CVE-2017-5715 - branch target injection) affects Intel, AMD and ARM processors and allows attackers to trick applications into leaking data.
ARM said the vulnerabilities are not new, but noted that cybercriminals could extract data from a processor "performing as designed and not based on a flaw or bug". "It is important to note that this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads," ARM said on a page dedicated to the vulnerabilities.
"All future Arm Cortex processors will be resilient to this style of attack or allow mitigation through kernel patches," the company further noted.
AMD has similarly downplayed the severity of the vulnerabilities, noting that:
- The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.
- The described threat has not been seen in the public domain.
The Vulnerability Notes Database listed Apple, Google, the Linux kernel, Microsoft and Mozilla as other vendors which are also affected. Vendors in general have already announced mitigation strategies.
Case in point is Mozilla, which announced through a blog post by Software Engineer Luke Wagner: "Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox."
Matt Linton, Senior Security Engineer, Google and Pat Parseghian, Technical Program Manager at Google said in the blog post that Google has already taken steps to mitigate against the attack methods.
"As soon as we learned of this new class of attack, our security and product development teams mobilsed to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations," they shared.
"As the security landscape continues to evolve, a
collaborative effort of information sharing in the industry represents
the strongest defense.
"Total protection from all
possible attacks remains an elusive goal and this latest example shows
how effective industry collaboration can be," AMD stated on a page dedicated to the vulnerabilities.
"Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services," stated Microsoft in guidance to Windows Server users. In a Windows blog post John Hazen, Principal PM Lead, Microsoft Edge also noted that the security update KB4056890* mitigates the attacks, and also detailed changes for supported versions of Microsoft Edge and Internet Explorer 11.
"The solution to mitigate these exploits is to update the firmware. Vendors such as Intel and Microsoft have pushed out patches to fix these vulnerabilities," SingCERT noted. Microsoft further says that hardware/firmware and software updates are required. "This includes microcode from device OEMs and in some cases updates to AV software as well", the company said in guidance about the vulnerabilities.
Media reports have speculated however that performance will degrade post-patch, but Trend Micro is more reassuring. In a blog post by William Malik, CISA VP Infrastructure Strategies, Trend Micro, the company predicts that cloud-based systems will see "some slight elongation in response time. While processors will run more slowly, they (and the local memory and disk) are on the other side of the Internet."
Those performing on-site processing for compute-intensive workloads may see a more significant impact. "Heavy processes and big data analytics benefit most from this processing feature. Without it, running these processes will take more time," Trend Micro explained. The company says home users "will not notice the change". "If you’re gaming a lot or use heavy graphics components, then the same rules apply as for organisations," Malik said.
Explore:
Google Project Zero's discussion of the vulnerabilities and proofs of concepts of how they work
ARM has listed affected processors and mitigation mechanisms here
Check the status of Google's mitigations for all products and services
Recommended actions from Microsoft on Windows Servers and on SQL Server
The SpecuCheck Windows utility provided "as is" by Alex Ionescu without express or implied warranties, available on Github, is described as being able to check the state of software mitigations against both Meltdown and Spectre
Trend Micro has issued instructions on how their Microsoft Windows users may patch their computers if they cannot see the update
*This update is downloaded and installed automatically from Windows Update. Update KB4056892 is also described as a patch for the vulnerabilities, and specifically states that it contains "security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Windows Datacenter Networking, Windows Graphics, Microsoft Edge, Internet Explorer, and the Microsoft Scripting Engine".
No comments:
Post a Comment