The world has not seen the last of Meltdown and Spectre, according to a recent report by cyber security and firewall specialists SonicWall. By January 2018, the company had already come across 500 ‘zero day’ malware programs designed to take advantage of various processor vulnerabilities. On Meltdown and Spectre, SonicWall has said, “It’s likely these are just two of many processor vulnerabilities already in play. We predict the emergence of password stealers and infostealers to take advantage of Meltdown and Spectre vulnerabilities”.
Meltdown and Spectre are just two CPU vulnerabilities among many that criminals are expected to continue exploiting throughout 2018 and beyond.
To date, the cyber security industry has been somewhat divided on how big of a threat Meltdown and Spectre pose to businesses, with some believing that the processor flaws are too complicated for large-scale attacks, while others believe that the monumental task of patching these vulnerabilities completely could take years, allowing cyber criminals more than enough time to properly weaponise the flaws.
According to John Gmuender, CTO at SonicWall, “Meltdown is very broad and tries to gain access to memory you shouldn’t have access to. We are seeing lots of proof of concept attacks coming through. It is more than we expected.” Gmuender expects that once criminals have developed effective malware that exploits Meltdown and Spectre, they will be put up for sale on the dark web, putting dangerous hacking capabilities in the hands of garden-variety cyber criminals.
Software vendors and hardware manufacturers in the IT world have been building features to combat Meltdown and Spectre into their products, including real-time browser (sandbox) analysis for customers that have firewalls in place . These mitigations, similar to both Microsoft’s Windows updates and Intel’s microcode updates, may cause a small performance impact for everyday users.
Intel had to recall its disastrous security updates in January after they were found to cause PCs to randomly reboot and in some cases experience the bluescreen-of-death. Since then, Intel has been testing and releasing fixes for their processor line, and has made security updates available for most processors as far back as 2011. However, these are not automatically applied to machines running Intel processors, and must be either downloaded manually or incorporated into BIOS updates created by computer manufacturers such as HP, Dell and Lenovo.
AMD reports 13 new Meltdown and Spectre vulnerabilities affecting their processors
AMD has promised that it will roll out its own firmware patches for millions of affected devices ‘in the coming weeks’, as they revealed 13 critical vulnerabilities that could lead to PCs using their processors being compromised. According to Israeli-based cyber security company CTS Labs, exploiting these vulnerabilities does require admin access on the PC in question, but could then bypass important security features such as Windows Credential Guard, Trusted Platform Module services and virtualisation, allowing hackers to access sensitive data.
In a following press statement, AMD pointed out that “any attacker gaining unauthorised administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research“. AMD have claimed that their fixes for the Meltdown and Spectre will not affect device performance, however after Microsoft and Intel had to withdraw similar claims, many in the industry will need to see this in order to believe it.
How to protect your business from Meltdown and Spectre:
At Tech Guard, we always advise a proactive rather than just a reactive approach to cyber security. This means having a robust and comprehensive cyber security framework in your organisation, as well as a culture of cyber aware employees. This means that when the next unpredictable vulnerability is revealed, you’ll be as ready as you can be for it. When WannaCry hit in May 2017, businesses were woefully unprepared. They were told “patch your machines and train your staff” in order to stay protected against such attacks in future. Then, just a few months later, NotPetya was released into the world, which utilised much the same vulnerabilities as WannaCry. Many businesses had not taken the necessary steps to protect against WannaCry, and found themselves with a crippling bout of ransomware.
With that in mind, there are two main steps that are critical in protecting against both Meltdown and Spectre. Patch your machines, and train your staff. Security vulnerabilities and bugs are found in software all the time. Often, they occur in a single program, but when they affect something as commonly used as Microsoft Windows, or a processor that was designed post-1995, then they have to potential to affects millions of devices (it’s also worth noting at this point that Meltdown and Spectre don’t care what operating system you’re on – they can affect Windows, Mac, Android or Linux/Unix users). The only way for these vulnerabilities to be closed off, at the moment, is through security patches issued by the relevant vendor.
Patching shouldn’t just happen sporadically or after a major security flaw has been exposed, it should be a regular process for your company. Patches should be tested first in a safe environment to ensure they don’t produce any unexpected side effects and break something critical, then they should be rolled out as quickly as possible afterwards to PCs and servers. If you don’t have the resources or skills in-house to test patches before applying them, then at the very least configure Windows to automatically install critical security patches, which will provide you with the latest protection against security vulnerabilities. For mobile devices, we also advise enabled automatic updates.
Cyber security awareness training is a great way to reduce your risk and prevent the malware from having a chance to exploit your network in the first place. Studies have shown time and time again that cyber criminals find it much easier and more effective to target people rather than trying to bypass firewalls and complex security configurations. It only takes one person clicking a phishing email or allowing a dodgy site to run Flash in order to malware to get onto a network, where it can often spread to servers and infect many other PCs. Teaching ordinary users how to identify phishing emails and how to be safe online is absolutely crucial in the fight against cyber crime, as is maintaining a company culture of being cyber aware and safe. In a time where physical firewalls are no longer as effective as they once were, businesses now need to turn their staff into a human firewall.