Don’t Meltdown: keep calm and patch
Users and businesses should apply available patches to address highly complex twin security vulnerabilities affecting computers and phones.
The Meltdown vulnerability is a fundamental flaw affecting Intel chips, and allows attackers the ability to read otherwise protected sensitive information on computers and phones. Spectre is more complex and allows attackers to read information from other running programs.
The two flaws taken together impact Intel, ARM, and AMD chips in Windows, Mac, and Linux computers, and iOS and Android devices.
These vulnerabilities do not result in instant hacks – they first require attackers to first compromise vulnerable devices by the usual methods such as tricking users into running malware or visiting malicious sites. Meltdown and Spectre can then be used once attackers have established a foothold on computers or phones.
The flaws are a result of design choices to improve compute speed.
What should I do?
General users: Most computer users should not fear nor fret on the particulars of Meltdown and Spectre. The flaws are hugely complex and have evaded brilliant technical minds for decades.
Instead, they should treat the vulnerabilities like most security flaws and apply software updates (patches) for their computers, laptops and phones as they are made available.
They should also focus on being security-smart as attackers need to compromise users’ devices first before they can exploit the vulnerabilities, so being mindful of email attachments, random software, and shady websites will limit potential exposure to these vulnerabilities.
Businesses: Technology companies are developing and distributing patches to address Meltdown (CVE-2017-5754) by securing access to kernel memory through Kernel Page Table Isolation.
Telstra security experts advise these patches, when available, should be applied through usual processes and testing cycles for endpoints and servers to avoid any unforeseen large scale performance degradation.
It’s also advised that a full verified backup of devices is made before patches are applied, in the event of unforeseen issues.
Microsoft has released a patch for Windows 10 (kb4056892) and Windows Server variants, and will distribute these through its Patch Tuesday (released Wednesday local time) release cycles. The latest Linux kernel has also been patched.
Apple and Google are releasing patches for their platforms and programs including the Safari and Chrome browsers, and iPhone, Nexus and Pixel phones. Other manufacturers, such as Samsung, are expected to deliver the patches to supported phones also.
Priority patching should be applied for those instances where multiple users share a single CPU. Businesses running public cloud environments should most strongly consider applying patches since failure to do so could allow attackers to compromise multiple environments. Microsoft, Google, and Amazon have indicated that they have patched their environments.
These patches may cause machines to slow down by up to 30 percent due to changes introduced to protect kernel memory. Initial speculation suggests this may increase the cost of cloud computing and that general end users should not notice performance degradation.
Some antivirus software is incompatible with the Windows patches. Endpoints running affected antivirus products cannot be patched until those security companies ensure compatibility.
Security researcher Kevin Beaumont has a live database that administrators can consult.
While both flaws can be patched, fixing Spectre (CVE-2017-5753) is more nuanced. It is a more complex, entrenched, and widespread flaw that uses Speculative Execution and Branch Prediction to achieve what Meltdown does with privilege escalation against Intel. It is also more difficult for attackers to exploit compared to Meltdown.