Computer Security – Chip Issues Meltdown and Spectre – Public notice from Sneaker

Computer Security – Chip Issues Meltdown and Spectre – Public notice from Sneaker

On January 3rd 2018 it was disclosed by Google Project Zero that almost every modern computer chip produced has serious security issues. These major security vulnerabilities can and possibly have been used to steal data. This applies to computers, phones, tablets, and even servers. Processor manufacturers like Intel, AMD, Qualcomm, and ARM are working with the hardware companies that incorporate their chips, as well as the software companies that actually run code on them to add protections.

Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715)

The issue in basic terms is as follows:

Meltdown, a bug that could allow an attacker to read kernel memory (the protected core of an operating system), impacts Intel and Qualcomm processors, and one type of ARM chip. Intel has released firmware patches for its processors, and has been working with numerous manufacturers, like Apple and HP to distribute them. Intel has also coordinated with operating system developers to distribute software-level mitigations. Patches are already out for recent versions of Windows, Android, macOS, iOS, Chrome OS, and Linux, but we are suggesting strongly that all clients should wait to make sure that initial patches are safe. Please read the forums before applying a patch, as some patches may render your device or computer useless.

The other bug, Spectre, involves two known attack strategies so far, and is far more difficult to patch. (And in fact, it may be impossible to defend against it entirely in the long term without updating hardware.) It affects processors from Intel, ARM, AMD, and Qualcomm. Browsers like Chrome, Firefox, and Edge/Internet Explorer all have preliminary Spectre patches, as do some operating systems. But Apple, for example, has said it is still working on its Spectre patches, and hopes to release them within a few days.

The basic solution for existing hardware is to update the OS of the systems running on these chips to remove the direct access to these areas of the chips, and to stop using the predictive access abilities of the chips. Both attacks take advantage of a feature in chips known as “speculative execution,” a technique used by most modern CPUs to optimize performance.

The results of these patches will be slower performance from the CPU’s on these devices.
It is estimated that every major platform and device will be slower from 10% or more in speed of processing. This should not produce noticeable differences in the case of websites but it is possible. Even virtual servers have this issue.

Sneaker is aware of the situation and is taking an active stance in patching our security servers, office computers, phones and so forth. We will post on this page with any updates to the status should updates be needed.

A warning:
With some of the early patches and updates causing systems to break and/or have difficulty running after a reboot – it could be best to wait a few days before applying the patches. Essentially, companies are rushing to get updates and fixes in place and not enough testing has been done in some cases. This has caused noticeable issues with some systems.

  • Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018
  • MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
  • Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
  • Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update.  Other users have to wait for their device manufacturers to release a compatible security update.

Portions of this document were sourced from Wired.com https://www.wired.com/story/meltdown-and-spectre-vulnerability-fix/

Update notice regarding Microsoft products with systems running on AMD chips –

https://www.techrepublic.com/article/windows-emergency-meltdown-patch-microsoft-stops-update-for-amd-pcs-after-crash-reports/

 

 

This is version 1.01 of this document. This number may change should contents of this page be edited later or updates with further information added.

Leave a Reply

Your email address will not be published. Required fields are marked *