In Progress
This issue is active and new information will be added as it becomes available.
Issue
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs. At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. It affects operating systems and can leverage web browsers to attack. Reduced performance on Intel-based Microsoft Windows, MacOS, or Linux servers may be experienced as the operating systems are patched to close the security hole. One projections puts this at a performance reduction between 17% and 23%.
Recommendations
- Patch your operating systems, browsers, and other software
- Prioritize patching your browser(s)
- IMPORTANT NOTE: Windows patch may need to be manually enabled
Understand your anti-virus product impact. These software may cause problems with Windows updates - patch may not be available until anti-virus updates are available.
Understand your cloud infrastructure (IaaS) impact. Your provider may reboot your host(s) but you will still need to apply OS and software patches.
Summary Articles and Useful Links
- Summary of issues: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/
- Intel's response: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
- Impact of patches and updates: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
- It can leverage web browsers: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
- A security researcher has a Google Docs spreadsheet of the status of AV products here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/edit#gid=0
- List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates: https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/
Technical Details
More information, including two papers on the CPU issues, has been released. These papers are technical descriptions of the bugs. Meltdown works on Intel processors only, Spectre works on Intel, AMD, and ARM processors.
The papers on the two bugs, called "Meltdown" and "Spectre" are available from
Readable discussion on the technical points
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Microsoft released patches today - the patch is not enabled by default and has to be enabled manually after the patch is applied. In addition, the patch will not be available for systems that are running incompatible anti-virus - some AV packages make calls into kernel memory that will cause a blue-screen-of-death if the patch is applied and enabled. More information from Microsoft is available here
Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities
Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
A Simple Explanation of the Differences Between Meltdown and Spectre
https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/
Reportedly MacOS 10.13.2 has the fixes in it and was released December 6, 2017.
What Google Cloud, G Suite and Chrome customers need toknow about the industry-wide CPU vulnerability