The New Year's Eve confetti had barely been swept up when the first headline-grabbing computer security problem of 2018 made the news. As you may have seen, on January 3rd of this year, it was revealed that a set of security flaws affects nearly every processor made by Intel, AMD, ARM, and Qualcomm over the past 20 years. Those flaws have been named "Meltdown" and "Spectre." These are more accurately families of related flaws, each based around a specific feature of CPU behavior.
While chip-makers and software vendors had been notified of these flaws and had been working to patch them before the announcement, a careless leak of information caused the announcement to be moved up by a few weeks. Because of the abridged timetable, the announcement was characterized by a somewhat chaotic initial response by the computer industry. It was also difficult to make sense of some of the information being reported, partly because the problem is highly technical in nature, and partly because there isn't a simple, "install this patch and you're good," answer to mitigating these problems. Much of the advice being given by vendors was also aimed at programmers, not the public.
Now that the dust has settled a bit, here are a few questions and answers about Meltdown and Spectre.
What are these flaws?
Both problems are related to the way CPU chips optimize operations to improve their performance. Without getting too deep into technical explanations, Meltdown deals with how the CPU accesses and caches memory pages, and allows processes to get information stored in kernel memory, which they should not have access to. Spectre has to do with the fact that modern CPUs perform "speculative execution," meaning they execute instructions before they know the instructions are needed in order to optimize performance. Flaws in the way this is carried out also allow information to leak from kernel to user programs, but also from virtual machine hosts to guest machines. (A more detailed explanation is Here)
What is being done to fix this?
It's important to note that most of the "fixes" are described as "mitigations". This is because the flaws are based on how the CPU is designed to work, so the things being done at the application and operating system level don't prevent someone from exploiting the flaw, because they don't change the functioning of the CPU. Rather, they are simply ways to reduce the likelihood of any useful data being read by someone using the exploit, or they are ways to bypass the specific CPU optimizations. That being said, all of the major operating system vendors are issuing patches, as are vendors of particularly vulnerable programs, such as web browsers. The CPU makers are working on microcode to mitigate the issues, which may be issued in the form of firmware updates by some computer vendors. CPU makers are also working on chip designs that don't have these vulnerabilities, but these won't hit the market for several years.
Is there any downside to installing these updates?
Unfortunately, yes. Early reports of microcode updates from Intel have been found to cause reboots across several generations of their chips. Updates to Windows caused blue-screens on machines with AMD processors. It was also discovered that several antivirus software products had been making undocumented system calls that were not compatible with the patches and caused systems to lock up. Microsoft and the antivirus vendors have implemented a mechanism to prevent the patch from installing unless an antivirus version known to be compatible is installed. But even without these glitches, these patches are going to result in performance hits for certain types of workloads. The good news is that for Windows 10 and newer processors, running a "typical" desktop workload, the hit is relatively small, on the order of 5-10%. Even compute-intensive tasks like 3-D rendering, fare pretty well. But for heavy disk access, and heavy network access workloads, there could be a 40-50% performance penalty. For older operating systems, like Windows 7 and 8/8.1, and for CPUs that are a few years older, the performance hit will be greater.
If I install the updates put out recently by the major operating system vendors, am I safe?
Let's say, "safer." The problem, as mentioned, is these aren't fixes, they are workarounds. It's likely that clever people will figure out ways to work around the workarounds, as well as find other related exploits in the Spectre family, maybe for years to come. But it's certainly safer to be patched than not.
Are there any existing malicious programs that use the Meltdown or Spectre vulnerabilities?
At the time of this writing, security researchers are unaware of any existing exploits in the wild, but they caution that they may be hard to detect. The Spectre flaw, in particular, is complex and tricky to exploit, but an entity with a lot of resources could use it to attack high-value targets.
As a Castema Managed IT customer, is there anything I need to do? What is Castema doing to keep my business protected?
We have designed our Managed IT service around 3 goals: Number one is keeping your information secure, followed by keeping your staff productive and engaged, and advising you on aligning your technology investments to achieve your business goals. The processes we already have in place are designed to respond to this latest threat, just as they have done for previous security issues, and will do for the next one that comes along. Fundamentally, it comes down to having multiple layers of protection to keep malicious programs out, combined with a regular, routine process to apply patches and updates to operating systems and applications. For every threat that comes along, it is the responsibility of the system vendors to issue updates that address the threat, and it is our responsibility, on your behalf, to apply those updates to your systems. We are constantly evaluating and improving our capabilities in this area. Over the past several years, we have made new investments into improved email filtering, endpoint security software, and a new patch-management system to help us keep you secure. On top of that, our processes and checklists are what make those tools effective, and we continually evolve those processes to raise the bar for best practices, and to keep up with new information and new threats.
The bottom line is that there is nothing out of the ordinary you will need to do. Continue to practice safe computing, be smart about clicking on links and email attachments that are unexpected or seem questionable, in other words, try not to put yourself and your company at risk. Meanwhile, we will be keeping tabs on new threats and what needs to be done to mitigate them. We'll try our best to assess the risk/reward of new patches also, usually erring on the side of caution to make sure the cure isn't worse than the disease before we deploy.
Do I need to buy all new hardware?
Experts say the ultimate fix for Meltdown and Spectre is new CPUs without the flaws, but it will likely take years before new chips are developed and available for purchase in new computers. Even so, this issue does point out the security value of something I've mentioned before. Keeping current with both hardware and software is not just a good idea for features and performance, but also for security. Older systems, if they get patched at all, will often get patched after the vendors have fixed their latest versions. Modern systems usually have better mechanisms for checking and applying patches, making them easier to manage. And in this particular case, older systems will also take the biggest performance hit from the CPU workarounds. And that's on a percentage basis, even knowing that the older systems are slower to begin with.
So what to do? If you're using older systems, this might be a good incentive to update things. If you're unsure about your security readiness, or your patching practices, it's more important than ever that you get a regular process implemented. My best advice: If you have an IT company managing your systems, check with them to make sure you're getting the updates that are needed. If you're a Castema Managed IT client, we have you covered. If you're not, and you think this might be a good time to look into Managed IT for your organization, please give me a call or drop me a line.