There has been a lot of information in the news, and a lot of hysteria around the Meltdown and Spectre in relation to hardware exploits.
First of all, this is different from all other vulnerabilities in that it is hardware with the issue. It means hardware from Intel, AMD, ARM and others are affected. It also means that Apple devices which were traditionally thought of to be invulnerable now are. With the exception of Apple Watches – comforting.
It has been brought about by making CPU’s faster and more efficient by making memory tricks the CPU to use faster and other techniques used such as speculative execution which executes a task before its required. All these performance designs helped create this issue.
In general every piece of hardware ever issued, every PC, Phone or device will be affected. It is in our estimation the biggest security we have encountered, even a bigger issue than the recent Wannacry malware outbreak.
Currently there is no known malware taking advantage of the vulnerabilities. So there is some time. You will rely on your AV to see attempts to take advantage of this flaw via specially crafted malware.
What can happen?
This exploit allows access to memory within the machine, which can be used to read data and inject your own. Passwords could be vulnerable, or any other core components.
The problem!
The flaw is a hardware flaw which your operating system uses to perform day to day operations. Unfortunately because it is a hardware fault, it is impossible for the CPU manufacturers to fix. They have turned to the Operating system Companies such as Microsoft, Apple etc for a mitigation which prevents the problem being exploited for nefarious ends. It doesn’t fix the issue however. Only hardware updates can do that. For example Microsoft still say you need to have the Hardware fix to properly address it. Its entirely up to the PC manufacturers to do that.
There will be no mitigation for Windows XP/2003 and also its unlikely firmware updates will fix it given the age of hardware related to it.
Steps to fix!
There are some high level steps to mitigate the flaw. Unfortunately we are not aware of BIOS updates as yet to fix the problem.
On Your Microsoft PC/Clients:
Update your AV. It needs to be compatible with the January 2018 Windows Updates. There is a registry key which is set to allow the mitigations to come down from Microsoft. Some Antivirus programs will set this, others will not, so will need to be set.
Install all Microsoft updates to January 2018.
Confirm the following settings appear with the following Powershell command:
Get-SpeculationControlSettings.
In an ideal world, Green settings on the following:
The above is what you are looking for, as the firmware supports mitigation, so the chipset supports hardware mitigation, but if that does not show and is red, then you are relying on the operating system to do it. As long as one line is green then the mitigation is in place, but the risk varies. If hardware support isn’t available you are reliant on the operating system to protect you.
Windows 7, 2008R2 and Windows 2012 and so on will require an additional registry key to enable this support.
Microsoft do not guarantee that the software fix will completely address the problem as officially you need to replace your hardware! It is best effort on their part. The official guidance is that if you are working on sensitive information is to replace the CPU with a non vulnerable CPU!
Its not great but that is the reality.
For Servers:
As above, but the patch is not enabled until you enable the registry key to turn it on.
Effects
It is totally unclear at the moment that high impact to performance, but from the initial discussions on social media 6% on desktops and reports of up to 30% drop on loaded servers is to be expected. On high Loads such as SQL Queries and I/O throughput has been measured to be adversely slowed. The effects of which is variable.
Summary:
In the end its up to you to address the risk profile. If its ok to have a bit more risk, then patch, if not then replace your hardware.
Microsoft live Presentation – https://aka.ms/EMEAOOBCPU
NCSC UK guide – https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance
Official info on Spectre attack – https://spectreattack.com/
Windows 7, 2008 and 2012 Registry key – https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released