From how Spectre and Meltdown differ to how patching will impact machine performance to what's behind the news that applying patches will blue screen computers, Cybereason CTO Yonatan Striem-Amit received several questions from people who attended our webinar on what security professionals should know about these hardware flaws. In this blog, he answers many of those questions. And if you want to learn more about these vulnerabilities, including what mitigation measures to implement, check out a blog Striem-Amit wrote.
ARE SPECTRE AND MELTDOWN SEPARATE FLAWS?
Spectre and Meltdown are very similar flaws, but they are actually three separate vulnerabilities. Meltdown is specific to Intel processors and is, by far, more easily exploitable. It is also more easily mitigatable and is addressed by recent patches from Microsoft, Apple and Linux. Spectre is an attack against two classes of issues, affecting Intel, AMD and ARM CPUs. These attacks are harder to exploit, but also much harder to mitigate. OS and CPU vendors are still trying to figure out the best mitigations.
Would pcaps allow you to detect the IOCs for these attacks?Generally, no. Some manifestations of these attacks will use plain-text JavaScript code that might be detectable by network traffic. But these will be the exception.
Both classes of attacks require the adversary to run low-privilege code on the attacked machine so the risk to networking devices is low. The exception is devices that allow customer controlled code. We may see bizzare things like attacks against printers by abusing postscript code, but, to the best of my knowledge, this hasn’t happened.
Correct. The Microsoft patches are inactive unless explicitly activated by an antivirus solution running on the machine. They have a high risk of blue-screening the machine if activated with an unsupported antivirus.
Generally there’s very little that is loggable. That’s the risk of this attack. It can be done with almost no interaction between the software running and the kernel. There are some minor side effects that can potentially be used for detection and we’re researching these options.
The most likely scenario is using malicious JavaScript. For example, malvertising could be used. That’s when malicious JavaScript code is used in an advertisement placed on a legitimate website. Other malware could use this technique as well and it is likely to become a tool used by hackers to circumvent kernel protection. The risk when using JavaScript: critical. An example would be a malicious JavaScript code that can read the contents of kernel or other tabs and steal user names and passwords.
This is unclear since the firmware patch isn’t publically available yet. Early signs indicate that a firmware update has to be combined with OS patching.
These are CPU bugs that are inherent to the design of processors built over the past 20 years. See my answer to the previous question about only updating firmware.
Meltdown only affects Intel CPUs, is easier to exploit and poses greater risk. It’s also easier to mitigate against it. Spectre affects Intel, AMD and ARM CPUs. AMD is technically correct in saying that it’s not affected by Meltdown, but their decision to downplay the Spectre vulnerability is a marketing trick to bash Intel.
I doubt it. Obfuscating JavaScript is very easy. Network security firms will create a signature for the non-obfuscated version that will be used to demonstrate these attacks, but attackers will have a very easy time evading these detections.
Patching your host could lead to performance degradation ranging from 5 percent to 30 percent. But performance degradation is very workload specific and really depends on your environment. We’ve seen machine increase their load by 20 percent on virtual environments, while others have shown almost no impact. Initial indicators show that the more I/O intensive your workload is, the more impact patching will have.
Intel CPUs from Haswell (fourth generation Core CPUs, v3 Generation XEON CPUs) support an extension called PCID (Process Context Identifier). This list from Intel shows which CPUs are Haswell. Any CPU with a newer number should have minimal impact.
Patching the host protects the host from malicious guests. Patching the guests protects the guest’s kernel from malicious low-privilege applications. The decision depends on your usage patterns. In general, patching is recommended.
The blue screens are mostly caused by third-party solutions - particularly antivirus software that isn’t compatible with these changes - not Microsoft code. Here’s an analogy to better explain the situation: if the electric grid started transmitting power at 220 volts instead of 110 volts tomorrow, my TV will still fry even if the electrical company handled the transition perfectly.
This is the case here. The Microsoft patch does what it needs to, but Microsoft said the patch is delivered as “Inactive” and will only be activated if either turned on manually or automatically by the antivirus vendors. You can apply the patches now because they will not be activated until your antivirus vendor patches their software.
One important note: while Microsoft may place the responsibility on antivirus vendors, their programs are not the only applications running on your machines. Other software, such as DLP or copy-protection programs, could also blue screen when enabling these patches. I strongly recommend that the activation of these patches be done in a cascade while ensuring compatibility with existing software.
The patch is available now, pushed as an out-of-band update. It will not be activated by Microsoft and requires explicit activation from antivirus vendors.
Assuming that both antivirus programs support the patch correctly, there shouldn’t be a problem. If the removed antivirus software doesn’t support the patch, you should be fine. But if the antivirus program being installed doesn’t support it, you risk getting a blue screen
These attacks are vector independent. We’ll likely see a lot of use in JavaScript-based malware.
There is no solution for older OSs. Microsoft said it will not back-port the patches to unsupported systems
This risk is relatively low. These exploits require the ability to run low-privilege code. Often times it’s difficult to know if a medical device is really at risk. With that said, I recommend talking to someone to make sure there’s really no ability to run this code. In general, given the attacks we saw last year (such as WannaCry), I strongly recommend fully patching medical devices and any other industrial device.
Intel and Microsoft patches are needed to protect machines from Meltdown while vendor patches are needed to ensure that these patches are active.
Virtual machines running on susceptible hardware may attack the host and read its content and potentially read content from other hosts. Virtual machines running on susceptible hardware are vulnerable to being attacked from low-privilege code running within the virtual machine.
Learn how Cybereason can help companies handle the fallout from Meltdown and Spectre.
Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.
Combining the Cybereason operations-centric EDR with Nuspire’s top-notch security operations team enables defenders to combat sophisticated and persistent threats to our mutual customer’s organizations...
Cybereason and TruVisor today announced a partnership that will protect ASEAN region organizations from sophisticated cyberattacks. As part of the partnership, TruVisor will expand Cybereason’s reach with the region’s top resellers and MSSPs across Southeast Asia...
