Meltdown and Spectre, behind the first security hole discovered in 2018
2018 could not have had a worse start from a cyber-security perspective as, yesterday, a major security hole was found in Intel, AMD and ARM processors. The critical flaw discovered in the affected computers’ architecture and operating system has rocked the technology industry, and developers around the world have rushed to roll out fixes.
The vulnerability, leveraged by the Meltdown exploit on Intel systems, is particularly worrying as it can lead to exfiltration of sensitive data such as login credentials, email messages, photos and other documents. It enables attackers to use a malicious process run at user level on the affected workstation or server in order to read other processes’ memory, even that of high-privileged kernel processes.
The flaw can hit home users and virtually every company, as Spectre affects all kinds of computers: desktops, laptops, Android smartphones, on-premises servers, cloud servers, etc. The more critical information handled by a potential victim, the greater the risk to suffer the attack.
Microsoft and Linux have already released updates for their customers security. We’d like to inform our customers and partners that the tests carried out by Panda Security show that there are no compatibility conflicts between our endpoint security solutions and Microsoft’s security update.
At present, there is no evidence of public security attacks leveraging the flaw, but judging from past experience, it is not at all improbable that we may witness an avalanche of Trojans and spam campaigns attempting to exploit the vulnerability.
How to mitigate the vulnerability
Newer generation processors are not affected by the flaw, however, replacing all vulnerable systems is not a viable option at this time.
For that reason, the only possible countermeasure at this stage is to mitigate the vulnerability at operating system level. Microsoft and Linux are working on or have patches ready that prevent the exploitation of this hardware bug, with Linux being the first vendor to release a fix.
Microsoft, which initially planned to include a patch in the security update scheduled for Tuesday January 9, released a fix yesterday that is already available on the most popular operating systems and will be gradually deployed to all other systems. For more information, please visit this page.
It is worth mentioning that Microsoft’s security patch is only downloaded to target computers provided a specific registry entry is found on the system. This mechanism is designed to allow for a gradual update of systems coordinated with security software vendors. This way, computers will only be updated once it has been confirmed that there is no compatibility issue between the patch and the current security product.
For more information, please refer to the following technical support article . There you will find detailed information about the Microsoft patch validation process, how to manually trigger the patch download, and the way our products will be gradually updated to allow the automatic download of the new security patch just as with any other update.
We’d also like to encourage you to find detailed information about Microsoft’s security update and the potential impact it can have on desktop, laptop and server performance.
Finally, Microsoft, Mozilla and Google have warned of the possibility that the attackers may try to exploit these bugs via their Web browsers (Edge, Firefox and Chrome), and that temporary workarounds will be released over the next few days to prevent such possibility. We recommend that you enable automatic updates or take the appropriate measures to have your desktops, laptops and servers properly protected.
Additionally, Panda recommends that you implement the following best security practices:
- Keep your operating systems, security systems and all other applications always up to date to prevent security incidents.
- Do not open email messages or files coming from unknown sources. Raise awareness among users, employees and contractors about the importance of following this recommendation.
- Do not access insecure Web pages or pages whose content has not been verified. Raise awareness among home and corporate users about the importance of following this recommendation.
- Protect all your desktops, laptops and servers with a security solution that continually monitors the activity of every program and process run in your organization, only allowing trusted files to run and immediately responding to any anomalous or malicious behavior.
Panda Security recommends all companies to adopt Panda Adaptive Defense 360, the only solution capable of providing such high protection levels with its managed security services. Discover how Panda Adaptive Defense 360 and its services can protect you from these and any future attacks.
Customers using our Panda Security home use solutions also enjoy maximum protection as they feed off the malware intelligence leveraged by Panda Adaptive Defense 360, as shown in the latest independent comparative reviews. The protection capabilities of Panda Security’s technologies and protection model are demonstrated in the third-party tests conducted by such prestigious laboratories as AV-Comparatives.
How do these vulnerabilities affect Panda Security’s cloud services?
Cloud servers where multiple applications and sensitive data run simultaneously are a primary target for attacks designed to exploit these hardware security flaws.
In this respect, we’d like to inform our customers and channel partners that the cloud platforms that host Panda Security’s products and servers, Azure and Amazon, are managed platforms which were properly updated on January 3, and are therefore protected against any security attack that takes advantage of these vulnerabilities.
What effect do these vulnerabilities have on AMD and ARM processors?
Despite the Meltdown bug seems to be limited to Intel processors, Spectre also affects ARM processors on Android and iOS smartphones and tablets, as well as on other devices.
Google’s Project Zero team was the first one to inform about the Spectre flaw on June 1, 2017, and reported the Meltdown bug before July 28, 2017. The latest Google security patch, released in December 2017, included mitigations to ‘limit the attack on all known variants on ARM processors.’
Also, the company noted that exploitation was difficult and limited on the majority of Android devices, and that the newest models, such as Samsung Galaxy S8 and Note 8, were already protected. All other vendors must start rolling out their own security updates in the coming weeks.
The risk is also small on unpatched Android smartphones since, even though a hacker could potentially steal personal information from a trusted application on the phone, they would have to access the targeted device while it is unlocked as Spectre cannot unlock it remotely.
Apple’s ARM architecture chips are also affected, which means that the following iPhone models are potentially vulnerable: iPhone 4, iPhone 4S, iPhone 5 and iPhone 5C. Apple has not released any statements regarding this issue, so it is possible that they managed to fix the flaw in a previous iOS version or when designing the chip.
As for the consequences and countermeasures for AMD processors, these are not clear yet, as the company has explained that its processors are not affected by the Spectre flaw.
We’ll keep you updated as new details emerge.
The post Meltdown and Spectre, behind the first security hole discovered in 2018 appeared first on Panda Security Mediacenter.