Large impact: malware can read sensitive data used by other applications, such as:
Passwords
Encryption keys
Banking information (e.g. credit card details)
Documents
Probability of occurrence
For end-users:
o Malware needs to be present on device of user
o Retrieval of useful data not straightforward, hence unlikely to be used to address large number of users
For companies
o Can be used in targeted attacks against specific companies
o Scope:
Intel
x86 processors that implement out-of-order execution (almost all processors since 1995) might be impacted, except Atom and Itanium processor released before 2013.
Meltdown is confirmed to apply to Intel processors released as from 2010.
AMD: impact unclear
ARM: only one processor impacted
Android: patches available
Apple: no public comments so far
Linux: patches available (KPTI/KAISER patches)
Microsoft has released patches for Windows, IE, Edge, SQL server on 3/1, also updating cloud and tablets
Fully virtualized machines: not impacted (access to host kernel space is not possible)
o Solution:
Users should be cautious when installing software from suspicious or unknown sources
Users should apply software patches at OS kernel level
Patches might cause performance degradation, but regular computer users will probably not notice
o Independently discovered by three teams:
Google Project Zero
Cyberus Technology
Graz University of Technology in Austria
– Spectre
o Description:
Breaks memory isolation between different applications
o Threats:
Large impact: application can access RAM of other applications
o Scope: Intel, ARM, AMD processors
o Solution:
Software patches exist for specific occurences
o Independently discovered by two teams:
Google Project Zero
Paul Kocher and other researchers
Frederik Mennes, Senior Manager Market & Security Strategy at VASCO:
“During the past days we have learnt that, for many years, a lot of our personal computing devices – desktops, laptops, tablets and smartphones – contain two security flaws, called Meltdown and Spectre. These vulnerabilities allow malware to read the computer’s memory, effectively giving access to sensitive user data, like passwords, cryptographic keys, banking information, and so on. Many servers hosting cloud services are equally vulnerable to these flaws. Users should patch the firmware and software of their devices as soon as possible, and should also be extra cautious when downloading software from unknown or suspicious sources.”
“The Meltdown and Spectre flaws have sent a shockwave through the industry for vendors and customers alike. Whilst currently there is no evidence to suggest these exploits have been used to steal data, they underline once again that customers must ensure data covered by regulations such the incoming EU GDPR, or that is sensitive to the company in any way, must be encrypted. It is the last line of defence for data when all other security measures fail, or new hardware and software flaws are discovered. This is another reminder that customers need to considered encryption as part of a managed security strategy across all on-premise servers, devices and cloud services if they are to meet the security challenges we all face today.”
“2018 has gotten off to a tough start with the news of the Meltdown and Spectre vulnerabilities. Both of these vulnerabilities relate to failures of isolation, and while they are about data leaking from one place to another rather than code execution, they spell trouble for pretty much all computer users, everywhere. The events of the last few days only underscore how vulnerable our critical data is to attackers. While these vulnerabilities are worrisome, these exploits are just two of the raft of threats we have to deal with each and every day. If you’re a security professional, trying to chase every single new threat is like trying to chase your own tail. We urge defenders to keep a careful eye on the overall threat environment yet increase their focus on who and what has access to the data that is most sensitive. This user- and data-centric approach to security has never been more important.”
“2018 is quickly off to a “negative” start for security defenders and we expect that these types of cyber threats will escalate throughout the year. Never more than today has there been a need for security organizations to continuously validate their security controls and posture in near real-time. Spectre and Meltdown are just the latest examples of vulnerabilities that allow attackers to gain privileged access with little effort. Organizations must assume attackers will gain an initial foothold into the network and subsequently, be prepared to exercise incident response and compensating controls. Attack simulation can provide significant visibility into an organization’s security posture and processes and how prepared they are to address attacks such as the these.”
Michael Lines, VP of Strategy, Risk and Compliance at Optiv:
“The Meltdown and Spectre security flaws are affecting billions of devices, but the fundamental challenges that organizations face remain the same as every other major vulnerability that has been announced. Fixing these security flaws is going to be a long-term issue to resolve because, one, patches are needed across a vast array of operating systems, and two, patches for Spectre are still to be developed and released.
These widespread vulnerabilities underscore the importance of having ongoing risk assessment processes in place, as well as well-oiled TVM processes – both as part of a robust information security program. Risk assessment should cover both awareness and management of the issue at the board and C-suite level. These flaws are going to bring a lot of ‘doom and gloom,’ but organizations’ ability to react in an efficient and predictable way is what is most critical. Don’t panic, prepare a rational plan based on patch availability and system sensitivity, execute your plan, and monitor progress.”
Christian Vezina, CISSP, CISA, CISM, CRISC, CIPP/US, CIPT, Chief Information Security Officer at VASCOData Security:
“What I find interesting is that with the ever increasing amount of software code of out there, security researchers are still discovering 20+ years old vulnerabilities. Unfortunately the processor level vulnerabilities that have been published recently seem to indicate a trend: Everyone drop what you are doing and start patching your systems [again].”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.