Activate Available Browser Defenses Without Delay, Security Experts Warn
Patch or perish to protect against Meltdown and Spectre attacks. That advice goes not just for many devices that run processors from Intel, AMD and ARM, but also devices running Apple, Google and Windows operating systems, including Apple iOS and Android smartphones and tablets (see Serious Meltdown and Spectre Flaws Make CPUs Exploitable).
See Also: How to Scale Your Vendor Risk Management Program
Also plan to keep patching for the foreseeable future as chipmakers, operating system and device makers, and software developers continue to refine their defenses against these data-stealing attacks (see Meltdown and Spectre: Patches and Workarounds Appear).
Both attacks target a CPU performance feature known as speculative execution and could be used to steal data, but thankfully not to remotely execute code. “The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory – including that of the kernel – from a less-privileged user process such as a malicious app running on a device,” Apple says in its security alert.
These “speculative execution side-channel attacks” can be used to exploit many modern processors built by Intel, AMD and ARM.
Each attack differs:
- Meltdown: This “rogue data cache load” exploitation technique (CVE-2017-5754) can be used to read kernel memory. Security experts say these exploits are the most likely to be seen in the wild, with the CERT division of the Software Engineering Institute saying that launching successful exploits would be relatively easy.
- Spectre: Two flaws – “bounds check bypass” (CVE-2017-5753) and “branch target injection” (CVE-2017-5715) – in Apple’s words “potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.” But CERT division says Spectre attacks would be very difficult in practice, in part because they would have to be tailored to the targeted environment.
Updates will need to be installed for firmware that runs vulnerable chips. Operating systems – Android, Chrome, iOS, Linux, MacOS, Windows – must also be updated. The same goes for all browsers and many other applications too, including anti-virus software. Cloud service providers, including Amazon, Google and Microsoft say they have also been rushing out protections for their cloud environments.
Patches for Meltdown have already started to appear. Fixes for Spectre, however, have been slower, in part because code must be recompiled with firmware updates and other safeguards.
Thankfully, developers say there are some good-looking fixes in the pipeline. “The proposed solutions are not trivial, but some of them are amazingly good,” says Linux kernel developer Greg Kroah-Hartman in a blog post. In particular, he points to Reptoline, which Google says it’s designed “to protect sensitive binaries (such as operating system or hypervisor implementations) from branch target injection attacks against their indirect branches.”
On the Spectre-battling front, Microsoft has released new versions of Internet Explorer and Edge for Windows 10; Mozilla has released Firefox 57 and new versions of Google Chrome and Apple Safari are due soon.
Expect all browser makers to continue issuing fixes. “The full extent of this class of attack is still under investigation, and we are working with security researchers and other browser vendors to fully understand the threat and fixes,” Mozilla software engineer Luke Wagner says in a blog post.
On the operating system front, Microsoft has released an initial security update designed to mitigate some Meltdown and Spectre flaws in supported Windows operating systems, including Windows Server 2008 R2, 2012 R2 and 2016, in the form of its KB4056892 security update. The update includes fixes for Microsoft Edge and Internet Explorer 11 browsers designed to make exploiting the flaws more difficult.
Microsoft recommends all Windows users ensure that updates are installed, preferably via automatic updates. If updates are set to automatically install, Microsoft recommends verifying that the update has taken place. In particular, any organizations pushing out Windows patches via System Center Configuration Manager or Windows Server Update Services must take additional steps or the Windows security update will not be installed, warns Liverpool, England-based security researcher Kevin Beaumont.
I’ve been sent this “However, please note that ALL Windows machines that rely on Windows Update (including SCCM) to automatically download and deploy security patches from Microsoft will need to have the ALLOW KEY registry setting in order to obtain the update”
— Kevin Beaumont (@GossiTheDog) January 8, 2018
Also, Microsoft and AMD say that KB4056892 is incompatible with some older AMD chipsets, resulting in updated PCs being unable to boot. Both say they’re working on a fix (see Microsoft Pauses Windows Security Updates to AMD Devices).
In addition to updating Windows, users of Microsoft’s Surface devices have a firmware update to install. “Customers using Surface products need to apply both firmware and software updates,” Microsoft says.
Anti-Virus Updates Required
Anti-virus engines apparently will not stop Spectre and Meltdown attacks. But anti-virus engines running in Windows are affected by the vulnerabilities, in that they must be updated to work with Microsoft’s security update.
To differentiate between anti-virus software that has been updated or not updated, Microsoft is requiring anti-virus vendors to set a registry key in their software. If that key has not been set and the user is running third-party anti-virus software, they will not receive Microsoft’s KB4056892 security update or any subsequent updates.
All Windows anti-virus applications must be updated. Security researcher Kevin Beaumont has been working with vendors and tracking their efforts in an online spreadsheet.
Apple, Android, Linux Patches
Beyond the Windows world, Apple said on Jan. 5 that it had released updates in the form of iOS 11.2, macOS 10.13.2 and tvOS 11.2 to help defend against Meltdown. “In the coming days we plan to release mitigations in Safari to help defend against Spectre,” Apple says. “We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS,” it adds, noting that Apple Watch is not affected by Meltdown or Spectre.
Google has updated Android with “mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors” and released fix code to manufacturers. All smartphones supported directly by Google started to get fixes last month. But it’s unclear when fixes for Android phones shipped by other OEMs might make it to end users, if they ever do.
Meanwhile, the Linux kernel has been patched with three Meltdown mitigations including KPTI, aka Kaiser. Linux distributions Red Hat and SUSE have also begun to release patches.
Red Hat says its patches, best practices and mitigations will likely continue to evolve. “While we have a solid understanding of these vulnerabilities and the current analysis of the contributing factors as well as patches to mitigate their potential impact, we will continue to collaborate with our partners, customers and researchers on this situation,” Jon Masters, Red Hat’s chief ARM architect, says in a blog post.