Meltdown and Spectre Vulnerabilities

January 5, 2018

TROY Community:

Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre.  These issues apply to all modern processors and affect nearly all computing devices and operating systems.

No known exploits exist at this time.

Hypothetically, in order to exploit these vulnerabilities, one would need to install malicious applications or possess direct access to your devices. We recommend downloading software only from trusted sources and limit third-party access to your devices.

Many technology firms have begun to release patches to help defend against Meltdown.

In the coming days, we plan to release mitigations to help defend against Meltdown and Spectre. We will continue to develop and test further mitigations for these issues and will release them as quickly as possible.  TROY IT will handle all devices that we manage: do not attempt updates to office, classroom or lab technology.

TROY IT will send notices as needed via email, update the TROY IT web presence, and post to our Twitter account.

For personal devices, we suggest you review the manufacturers’ guidelines and employ common safeguards to limit opportunity for exposure.

It is important to mention that these security issues are not limited to traditional computing devices.  Portable devices, tablets, wearables, cellular phones, streaming devices, home automation, nearly all technology devices manufactured in the last twenty years are vulnerable.

The TROY IT web presence is http://it.troy.edu.  The TROY IT Twitter account is @TROYUIT.


More Information

What are Meltdown and Spectre?

Three critical vulnerabilities were recently identified by independent teams of security researchers. The three vulnerabilities, collectively dubbed Meltdown and Spectre, impact all Intel CPUs built in the last 15 or so years - which is quite a significant number of devices. These two vulnerabilities enable a malicious user land application to read the protected kernel memory of other processes (Meltdown) and applications (Spectre). This could include things like passwords, personal documents, and credit card data.

Who is affected by this?

Almost everyone. Meltdown exclusively impacts Intel processors. So, if you have an Intel CPU you’re impacted. Spectre on the other hand impacts Intel, AMD, and ARM processors. Combined, the list of vulnerable devices includes PCs, Macs, Android and iOS devices, baby monitors, your microwave (probably) - all of which run a vulnerable CPU.

How are they exploited?

Exploitation occurs through the execution of malicious untrusted applications. Proof of concept JavaScript code has been released for Linux. This means that all a victim has to do is visit the wrong website. Spectre is a more difficult vulnerability to exploit, and to this point no proof of concept code has been seen in the wild.

What do they do?

The vulnerabilities enable an attacker to defeat the barriers between the memory space of user-land (normal) processes and kernel process. This effectively enables a malicious application to read portions of kernel memory, which often contains data prior to being encrypted, processed, and sent to a socket.

How do I protect myself?

Update your software! Microsoft, Apple, Google, and other vendors have released patches to mitigate the risk Meltdown. If an update is available for your platform, install it. Intel has also announced that 90% of the CPUs released within the last 5 years will have a patch available by next week, which should mitigate the impact of Spectre.

Outside of software updates, use sound fundamental security principles when accessing the Internet. Avoid downloading and executing files from untrusted sources, and avoid visiting unknown sites.

Source: NOPSEC


Additional Resources