Happy New Year! First Major Security Bugs are out!

Happy New Year!

After a fairly quiet holiday season in the security word we are greeted with Meltdown and Spectre!  And, boy, are they doozies!   Both of these exploits utilize flaws in the hardware architecture where, no matter what operating system, the hacker can siphon data out of the protected memory space, and everything runs through memory!   This is really bad for cloud providers where memory can be read from other hosted systems holding sensitive data (Think HIPAA, PCI).  Because both of these

First, quick rundown of Meltdown
CVE-2017-5754
Meltdown is the nicer of the two exploits, being that we have a patch on most operating systems for it!  It affects most Intel Chips (excluding Itanium and Atoms built before 2013) that were manufactured since 1995.  There are Software patches out for for all major operating systems including Windows, MacOS, and Linux.
This patch, on Windows, is not an easy click and go!  Some anti-virus vendors are not compatible with the Microsoft Patch and will bluescreen the system!  A check in the Microsoft patching will watch for incompatible antivirus software and not install.  On some machines a manual edit of the registry is also needed!
Another downside of this patch is reports of slowing down computer systems by up to 30% depending on the type of operations the computer is performing.  The most slowdowns will be seen in high processor tasks such as Databases and Virtualization.

Now, the Scary Scary Scary Spectre.
CVE-2017-5715

Who is affected by Spectre?  Anyone with an Intel, ARM, or AMD processor, so…. Just about everything.
There is currently no patches for Spectre, there are researches working on hardening the flaw that Spectre uses .  Spectre works by using the best practices of error free programs to give up data.  Spectre uses a Side-Timing attack to predict what will happen, usually a trick used to hide memory latency.

In proofs of concept, Spectre can be exploited by giving up protected data in a web browser using javascript.

It will be interesting to see the fallout with unsupported IoT Devices in regards to Spectre.  Arm states that most Raspberry Pi’s are not affected by Spectre because they run an in-order architecture or, in the Pi I are not affected by the way Spectre operates.

For our clients, Ultra Scary can determine what devices still need patching to mitigate Meltdown.