Last week it was revealed that for decades there have been two major related vulnerabilities in how processors defend the most sensitive memory of billions of computers. These hardware vulnerabilities, dubbed Meltdown and Spectre, allow programs to steal data processed on a computer.
The Meltdown and Spectre vulnerabilities are consequences of a modern CPU performance feature called speculative execution. Speculative execution improves processor speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device. The processes that could enable access to sensitive data could include everything from viewing photos, emails, instant messages, documents, cryptographic keys and passwords stored by browsers.
In what appears to be a bizarre coincidence, the two-decade-old vulnerabilities were discovered independently by four teams of researchers within months of each other, raising the question of who else might have discovered the flaws before them and who might have secretly been using them for spying, potentially for years, before the vulnerabilities were exposed.
What’s really scary is that, unlike malware, Meltdown and Spectre are hard to distinguish from regular applications, rendering antivirus software ineffective and exploitation attempts invisible.
Meltdown works by breaking down the most fundamental isolation between computer applications and the computer’s operating system, allowing a malicious program to access the memory, and thus the secrets, of other programs and the operating system. Similarly, Spectre breaks the isolation between different applications allowing an attacker to trick a program into leaking its secrets. Ironically, the safety checks built into many programs may actually increase the attack surface and thus the susceptibility of a Spectre attack.
Although this is a hardware flaw, vendors are issuing software patches that defend against Meltdown and Spectre exploitation, so it's important to ensure that all your devices and systems are updated immediately. This includes operating systems, browsers and antivirus software. In the meantime, some safety measures are recommended:
1) Never let your browser store your passwords. Spectre attacks will harvest all those passwords.
2) Always log out of all web applications. Don't just close the browser. Browsers cache passwords in addition to actually saving them, but logging out forces the browser to flush those temporary passwords from the cache so they can’t be collected in Spectre attacks.
3) Considering the significant risk of user password theft, ShareVault owners should consider securing access to their data by enabling Two Factor Authentication which will prevent stolen passwords from being used to access their vault. Two Factor Authentication requires users to verify themselves via a text message or authenticator app in addition to their password. Read here for steps to enable this feature.
ShareVault's vendor response to these threats has been swift. The patches that decrease the risk of these vulnerabilities were rapidly deployed to our infrastructure. Meltdown will likely fade away in the long term as an annoyance, while Spectre, as its name suggests, because it doesn’t have a simple fix, may be with us for a while.
Phillip Bandy is ShareVault’s chief information security officer (CISO) and is responsible for establishing security standards and controls, guiding the implementation of security technologies, and managing the establishment and implementation of security policies and procedures. He is an expert in computer incident response and has implemented computer security controls for NASA’s Mission Control.
Stay up to date on the latest industry tips and advice