Intel, under the spotlight
Meltdown and Spectre
Meltdown and Spectre take advantage of critical vulnerabilities in modern processors. These hardware errors allow programs to steal data that is currently processed on the computer. Although, normally these are not allowed to read data from others, a malicious program can exploit Meltdown and Spectre to obtain secrets stored in the memory of other running programs. This could include your passwords stored or browser administrator, personal photos, emails, instant messages and even business critical documents.
Meltdown and Spectre work on personal computers, mobile devices and in the cloud. Depending on the infrastructure of the cloud provider, it may be possible to steal data from other clients.
Meltdown is the immediate threat, with proof-of-concept exploits already available, but Spectre is much deeper and difficult to patch, which can potentially generate generations of more subtle exploits in the years to come.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory and, therefore, also the secrets of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with confidential information without the ability to filter the information. This applies to both personal computers and the cloud infrastructure. Fortunately, there are software patches against Meltdown.
Spectre breaks the isolation between different applications. It allows an attacker to cheat programs without errors, which follow best practices, to filter their secrets. In fact, the security controls of such best practices actually increase the attack surface and can make applications more susceptible to Spectre.
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to avoid specific known exploits based on Spectre through software patches.
Vulnerability in the cloud
The focus so far has been on personal devices, with an avalanche of patches already available, but many experts believe that the most severe damage is likely to occur when exploits connect to cloud services.
“These vulnerabilities will allow a tenant to analyze the data of another co-hosted tenant … This is the reason why many organizations avoid hosted services when it comes to processing sensitive information”
Mounir Hahad, head of threat research at Juniper Networks.
On a personal computer, that attack would be more useful for escalation of privileges: a hacker running low-level malware could use a Specter error to own his entire computer. But there are many ways to control a computer once you have a foothold, and it is not clear how much a new processor attack could change things.
But privilege escalation is much stronger in the cloud, where the same server could work for dozens of people at a time. Platforms such as Amazon Web Services and Google Cloud allow online companies to broadcast a single program on thousands of servers in data centers around the world, sharing hardware. The collective hardware is not a security problem because even when different users are on the same server, they are in different software instances, without the possibility of passing from one instance to another. Specter could change that, allowing attackers to steal data from anyone who shares the same chip. If a hacker would want to make that type of attack, all they would have to do is start their own instance and run the program.
Cloud services are also a lucrative goal for anyone who wants to take advantage of Specter. Many medium-sized companies manage their entire infrastructure on AWS or Google Cloud, often relying on the platform with sensitive and potentially lucrative information. Bitcoin exchanges, chat applications and even government agencies keep passwords and other sensitive data on cloud servers. If you are running a modern web service, there is simply no other option. If someone configured a new exploit running on an instance of the cloud, there is no way to know what kind of data might fail.
So far, cloud platforms take the threat seriously and do everything possible to contain it. Amazon Web Services, Google Cloud and Microsoft Azure immediately implemented patches against the Meltdown attack, and there is no indication that the available exploits can work against any of these platforms. Where there have been persistent vulnerabilities, it is because companies expect third-party patches, such as Amazon EC2’s Windows-based instances. The main platforms have handled the immediate response well, and there is no reason to think that we are heading towards a catastrophe in the cloud in the days immediately following.
Today, Intel made a statement that says it has issued an update that makes the processors immune to the two vulnerabilities.
Intel‘s Full reléase
Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.
Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.
Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.
System updates are made available by system manufacturers, operating system providers and others.
Intel will continue to work with its partners and others to address these issues, and Intel appreciates their support and assistance. Intel encourages computer users worldwide to utilize the automatic update functions of their operating systems and other computer software to ensure their systems are up-to-date.
For more information you can read these documents that have all the technical detail: