Meltdown & Spectre Report
This Post details the implications and status of the Meltdown & Spectre CPU vulnerabilities that have just been widely disclosed to the public.
What is this about?
Both are related and associated with taking advantage of the fact that processors execute instructions speculatively – for the purpose of faster computing performance. All modern processors perform speculative execution to a greater or lesser extent; they’ll assume that, for example, a given condition will be true and execute instructions accordingly. If it later turns out that the condition was false, the speculatively executed instructions are discarded as if they had no effect.
The issue is that these flaws could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory.
- Meltdown, therefore, requires a change to the way the operating system handles memory to fix, which initial speed estimates predict could affect the speed of the machine in certain tasks by as much as 30%.
- The Spectre flaw affects most modern processors made by a variety of manufacturers, including Intel, AMD and those designed by ARM, and potentially allows hackers to trick otherwise error-free applications into giving up secret information. Spectre is harder for hackers to take advantage of but is also harder to fix.
These flaws/weaknesses in CPUs (for virtually all modern era chips in past ~20years) were known to vendors secretly from June 2017 – but public disclosure in the first week of January 2018 has only now occurred.
- Microsoft has officially stated “We have not received any information to indicate that these vulnerabilities had been used to attack our customers”.
When was a “fix” released?
There is no single “fix” and resolution is complicated and ongoing. In short:
- Hardware Vendors present in BIOS certain CPU Security features, that if enabled provide significant protections.
- CPU Vendors (i.e. Intel/AMD/ARM/Apple) are each affected to varying degrees and have been releasing CPU firmware “microcode” updates, to address current CPUs, and future improvements to these are expected in the weeks/months ahead.
- Linux Operating System kernel/security updates have been released – most now coordinated under the banner “kernel page-table isolation” or KPTI, and future improvements across all *nix variants are expected to be fastest to be developed/released in the weeks/months ahead.
- Microsoft has (finally) today released Windows Server Guidance and via Windows Update security fixes.
- Apple has also announced that iPhone, MacOS X and AppleTV require fixes.
- Android Phones/Devices are also affected.
- Browsers including Internet Explorer & Firefox are also releasing expedited updates.
What has Mach done?
Mach Technology installs all updates on all our Managed Servers automatically (to a known and consistent pattern via DEVOPS technologies) and monitors for successful update installation – all a part of our Managed Services.
Nonetheless, as soon as this new vulnerability was known, Mach proactively audited and developed an action plan per recommended best practice from all aspects/vendors in the technology stack relevant.
The 4-Step Plan includes:
- Hardware BIOS: ensure CPU security features same as recommended by vendors: COMPLETED
- CPU Microcode Updates: ensure all/latest available “microcode” updates are applied: COMPLETED
- Server Operating System: ensure all/latest security/kernel updates applied: ONGOING (some reboots to be completed*)
- PC/Browser Updates: requires pragmatic coordination and involvement of users – see below Customer Action: ONGOING
Note*: Mach will coordinate and schedule VM/Host Server Reboots with customers to be completed ASAP – but will if necessary perform Server Reboots immediately without notice if any suspicious activity detected.
No known issues have arisen as a result of this issue in any Mach-managed infrastructure. Potentially, some customers may need to have additional computing (CPU) resources provisioned if the performance overhead/impact of patches dictates.
What should Customers do?
Mach urges all customers to:
- Have each user positively check on a daily basis (i.e. first logon of each day), that all Security Updates (e.g. Microsoft Updates / Apple Updates) are applied and if not – apply and activate by reboot.
- Assist Mach to schedule and perform (without fuss) Server Reboot(s).
- Contact Mach immediately if anything suspicious encountered or assistance is needed.