Spectre & Meltdown: How to protect your hardware from this new security threat

What are Meltdown and Spectre? Craig Lodzinski, Developing Technologies Lead at Softcat gives the lowdown on the latest threat

Just when we thought the dust had settled from 2017’s ransomware bonanza, 2018 has begun with a brand-new security threat in the form of Spectre and Meltdown.

These two vulnerabilities have garnered a lot of attention since their announcement, and with good reason. The race to make processors (CPUs) faster and more efficient has many trade-offs, and in this case, the implications revolve around security.

While there are no reported attacks in the wild, these vulnerabilities could be used by an attacker to access privileged information held in memory, which may include passwords and sensitive information.

Who is affected?

Anyone who uses any form of computer or computing resource (Public Cloud, Smartphones, Tablets, Desktops etc).

There has been a lot of attention on Intel, as Meltdown primarily affects its products, but Spectre affects nearly all modern CPUs. It has been tested on Intel, AMD and ARM CPUs, which combined comprise over 99 percent of the deployed CPU market.

Those likely to be most affected broadly fall into two categories: those with a lot of IT, and those with old IT. Organisations with large, diverse hardware environments will find mitigation a harder task due to the variety of patches that need to be applied, and the different performance impacts on various platforms and applications.

In addition to this, very old systems that are no longer supported by manufacturers and/or software companies may not receive updates, and therefore remain vulnerable to attacks for a long time.

Older systems such as embedded systems that are still in support may incur more performance degradation due to the architectures within, and the relatively limited attention that they will receive in terms of future updates and development.

This sounds scary, but it is important to remember that there have been no reported attacks using these vulnerabilities, and that disclosure has been phased to allow patches to be developed before going fully public.

So, there’s nothing to worry about?

Not exactly. Firstly, while we believe these vulnerabilities have not been used, it does not mean that they WILL NOT be used.

Now the information is in the public domain, it is likely that there will be attempts to weaponise the vulnerabilities. Spectre exploits a feature that is fundamental to CPU design, and while hard to exploit, it is likely that there will be a cat and mouse game between the forces of good and evil for many years to come.

To this end, it is important to follow security best practices, regularly updating machines with the latest patches that mitigate against potential attacks. Information security requires a layered approach, and patching should be used in conjunction with the rest of the security pantheon (Firewalling, Endpoint Protection, Education etc).

Currently, the biggest impact for most people will be in performance, as certain workloads are seeing significant impacts following the application of the patches. The more reliant an application is on high-end CPU performance, the more likely that there will be a performance impact.

Over time, it is highly likely that the performance impact will be reduced as better patches are developed, especially on more modern CPUs with more advanced features and which receive more development time.

What do I need to do right now?

Follow the advice of device manufacturers, and apply updates in a timely fashion.

For standard consumer devices such as Windows PCs, Android and iOS smartphones and the like, ensure updates are enabled and installed frequently.

For corporate IT practices with specific concerns and policies, we recommend following the specific advice of your vendor. A comprehensive list of vendor advice can be found on Softcat’s blog here.

Security professionals may also wish to look deeper into the research findings, which have been posted on www.meltdownattack.com.