Issue

Several recently-published research articles have demonstrated a new class of attacks (dubbed "Meltdown" and "Spectre") that work on most modern computer processors. At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.  At worst, the flaw could be abused by programs and logged-in users to read the contents of your computer's memory (such as your password).

This is a deeply technical issue that mainly requires software and operating system providers to issue software updates to fix.

Recommendations

Are my systems affected?  Probably.

You should not panic, though. Continue to maintain good security practices, but specifically ensure your operating system, browser, and antivirus software are up to date.  It may require a shift in priorities if you do not have strong, automated patching processes.

• Patch your operating systems, browsers, and other software
  • • Prioritize patching your browser(s)
• • • Windows updates may need a BIOS update too
    • Patch and advisory tracking: https://www.us-cert.gov/ncas/alerts/TA18-004A

  • Understand your anti-virus product impact.  These types of software may cause problems with Windows updates - the windows patch may not be available until anti-virus updates are available.

    • IMPORTANT NOTE: If you are not running a Microsoft supported anti-virus, the Windows patch may need to be manually enabled (requires register key setting change).
    • If you apply the registry setting with an unsupported anti-virus, you risk a BSOD
      

  • Understand your cloud infrastructure (IaaS) impact.  Your provider may reboot your host(s) but you will still need to apply OS and software patches.

Important note: Patches may impact performance, especially on servers and systems with already high load.  Reduced performance on Intel-based Microsoft Windows, MacOS, or Linux servers may be experienced as the operating systems are patched to close the security hole.  One projections puts this at a performance reduction between 17% and 23%. So far, real life testing on Linux suggestions < 10%.

How to Detect Vulnerability

Tenable

• • TBD but will require authenticated or agent based scan
    

Microsoft

• • Microsoft powershell script:  https://support.microsoft.com/en-hk/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
    • May require to use the setting: Set-ExecutionPolicy Bypass

Summary Articles and Useful Links

• • Summary of issues: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/
  • Intel's response: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
  • Impact of patches and updates: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
  • It can leverage web browsers: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
  • A security researcher has a Google Docs spreadsheet of the status of AV products here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/edit#gid=0
  • List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates: https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/

Technical Details

More information, including two papers on the CPU issues, has been released.  These papers are technical descriptions of the bugs.  Meltdown works on Intel processors only, Spectre works on Intel, AMD, and ARM processors.

The papers on the two bugs, called "Meltdown" and "Spectre" are available from

https://meltdownattack.com/

Readable discussion on the technical points

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

The webcast recording is now available from SANS. Click the Register button and log into your account. You will then see the "View Webcast" button and the "Download Presentation Slides" link on this page.

https://www.sans.org/webcasts/meltdown-spectre-understanding-mitigating-threats-106815

SANS presentation youtube video

https://www.youtube.com/watch?v=8FFSQwrLsfE

Microsoft released patches today - the patch is not enabled by default and has to be enabled manually after the patch is applied.  Part of the patch may require a firmware/BIOS update on the system before it will be completely effective.  In addition, the patch will not be available for systems that are running incompatible anti-virus - some AV packages make calls into kernel memory that will cause a blue-screen-of-death if the patch is applied and enabled.  More information from Microsoft is available here

https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s

Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe

A Simple Explanation of the Differences Between Meltdown and Spectre

https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

Reportedly MacOS 10.13.2 has partial fixes in it and was released December 6, 2017.  More changes are expected in 10.13.3.

What Google Cloud, G Suite and Chrome customers need toknow about the industry-wide CPU vulnerability

https://www.blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/