Proof of concept source code for the Spectre and Meltdown attacks have surfaced on github today. Perusing through much of the code shows that the most egregious architecture bungle in the history of man can be accomplished with 122 lines of code according to security experts. Get ready folks. Things are about to get weird in 2018.
Quick Facts on Spectre & Meltdown
1: This is not just an Intel Architecture Problem. Spectre makes this is a general CPU architecture problem that affects all CPUs. Performance being prioritized over Security will no longer work. However, AMD is being vocal that the chances of its CPUs being heavily impacted on this is very unlikely.
Conversely, Intel has issued a warning that just about every server chip it has made in the last 10 years is open to these attacks.
Intel is saying that it will have updates issued by the end of the week for 90 percent of the processor products built in the last five years.
2: These flaws allow the entire contents of memory to be dumped for nearly any device that uses a CPU. Desktops, laptops, servers, mobile phones. Dumping memory exposes EVERYTHING.
3: Spectre affects ALL PROCESSORS. It exploits a fundamental design flaw in contemporary CPU architecture. There is no fix for current hardware.
4: Meltdown affects INTEL processors. It’s easier to pull off the attack than Spectre but has a mitigating patch. Unfortunately, the patch is expected to affect performance significantly in certain workloads.
5: The Meltdown patch still does not address Spectre, though the criticality is largely the same.
6: To reinforce the severity of the issues these attacks could present. Imagine a threat actor making their way onto an AWS cloud server and dumping / reading the entire contents of memory for everything on that server. Think about how many companies exist on a single cloud server. The amount of sensitive data present is staggering. Passwords, Log-Ins, Personal Info, Intellectual Property, Files, SSL Keys, Databases…The list goes on.
7: Vendors don’t understand the issue, with many stating Microsoft has already fixed this in an upcoming patch. Again, Meltdown can be patched. Spectre cannot. They both accomplish the same end result. Spectre is difficult to exploit, but in the hands of the right threat actor is easily doable. Once Spectre is streamlined and automated for ease of use, all bets are off.
The Bottom Line
I wish I could really say right now, but considering that most of the world is run on Intel CPUs when it comes to servers, the simple suggestion to “Replace CPU hardware,” is a bit daunting, except to probably AMD and possibly Qualcomm and its new Centriq processors. As for a current anti-virus list, you can follow this well laid out spreadsheet from @GossiTheDog.
What to do with the information we have today:
Average Desktop User (Intel): At this point your best and only option is to apply the Microsoft KAISER patch when they become available. As this attack is also reported to have delivery via web-browser via .js, it may be plausible to block .js execution from the browser as well.
Average Desktop User (AMD): Your CPU is mostly immune, as AMD is adamant that these exploits do not affect their architecture. If anything changes, I am actively tracking and will alert you.
The Gamer (Intel): Early reports are stating 5-35% performance loss with some going as high as 50%, however, thorough performance impact benchmarks have not been widely done yet, so we really have no idea how massive of performance hit gaming on Intel CPUs will take. You could risk it and keep Windows from updating, but we would not recommend that currently.
The Gamer (AMD): Current Patches are only for Meltdown and will not affect performance, but when Spectre is patched the performance loss may be 0-2%, per AMD. Feel free to keep your computer updated and secure with no concern for the possible performance collapse Intel processors will experience.
The Admin: This is going to boil down to company policy. You will have to weigh the unknown vs. the known. Are the patches compatible with your AV suites? Will they cause an adverse business impact when deployed? Will performance impacts cause issues and what could they affect specifically? If it was me, I’d look at critical systems and start there. Sensitive data being protected is a priority. When upgrade time comes around, I would pressure the higher ups to switch to AMD EPYC based servers ASAP.