Meltdown and Spectre: what you need to know

Meltdown and Spectre: what you need to know

Posted: January 4, 2018 by
Last updated: January 12, 2018

UPDATE (as of 1/12/18)Several vendors have produced patches for Meltdown and Spectre, however performance problems dog the fixes. Details on the patches were published here.

UPDATE (as of 1/04/18)Since the Malwarebytes Database Update 1.0.3624, all Malwarebytes users are able to receive the Microsoft patch to mitigate Meltdown.

Overview

If you’ve been keeping up with computer news over the last few days, you might have heard about Meltdown and Spectre, and you might be wondering what they are and what they can do. Basically, Meltdown and Spectre are the names for multiple new vulnerabilities discovered and reported for numerous processors. Meltdown is a vulnerability for Intel processors while Spectre can be used to attack nearly all processor types.

The potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. For Meltdown, an actual malicious process needs to be running on the system to interact, while Spectre can be launched from the browser using a script.

Microsoft, Google, Mozilla, and other vendors have been releasing patches all day to help protect users from this vulnerability. Some of the updates from Microsoft may negatively interact with certain antivirus solutions. However, Malwarebytes is completely compatible with our latest database update. The best thing to do to protect yourself is to update your browsers and your operating system with these patches as soon as you see an update available.

For a quick guide on how to protect yourself from this threat, please check out “Meltdown and Spectre Vulnerabilities – what you should do to protect your computer” on the Malwarebytes support knowledge base.

Details

The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753), and rogue data cache load (CVE-2017-5754)—affect all modern processors.

If you’re wondering if you could be impacted, the answer is most certainly yes.

The vulnerabilities, named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs. What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation.

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

While there are no attacks reported in the wild as of yet, several Proof of Concepts have been made available, including this video that shows a memory extraction (using a non-disclosed POC). This is particularly damaging because 1. There aren’t many options for protection currently and 2. as previously stated, even if threat actors do spring to action, it might be impossible to verify if that’s the case. 

Mitigations

Because the Meltdown and Spectre variants are hardware vulnerabilities, deploying security programs or adopting safer surfing habits will do little to protect against potential attack. However, a patch for the Meltdown variant has already been rolled out on LinuxmacOS, and all supported versions of Windows.

According to our telemetry, most Malwarebytes users are already able to receive the latest Microsoft update. However, we are working to ensure that our entire user base has access to the patch.

Unfortunately, Microsoft’s fix comes with significant impact on performance, although estimates of how much vary greatly. An advisory from Microsoft recommends users to:

  1. Keep computers up to date.
  2. Install the applicable firmware update provided by OEM device manufacturers.

If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.

No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.

The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.

Cloud providers (AmazonOnline.netDigitalOcean) also rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.

The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.

Vendor advisories:


COMMENTS

  • NEXUS2345

    Does Malwarebytes support the patches Microsoft have issued?

  • Maynard Inc

    Yes, I would like to know this as well.

  • According to our telemetry, most users should be able to receive the latest update from Microsoft. We’re currently working to ensure that all of our customers have access to the patch. (We updated this info in the blog above as well.)

  • Darryl

    Wondering if it would be a good idea to use a customized read-only Linux VM for a while as opposed to using the host system directly…..it is set up to help ensure privacy and security and has no personal information, and I can use sneakernet and my own USB sticks to transfer data. And when I shut it down…it’s gone.

  • Matthew Cook

    Where can I Find the database version on Malwarebytes EE?

  • a1

    is Malwarebytes Database Update 1.0.3624 the same thing as v2018.01.03.624

  • Lord Dcee

    Am I understanding this correctly: does someone need to execute malicious code even if they uses any of the vulnerabilities? If not, does it mean than besides OS and particular software patches, no antivirus can be of any future uses for these vulnerabilities?

  • Adondriel

    Most anti-virus software is behind the hackers, meaning that the hacks are out there before the anti-virus people can even try to stop it. Most anti-virus can’t find a virus… until after you’re infected. MB is really the only trustworthy company out there now. Which is sad, Avast and AVG used to be good… not anymore. Just use Windows Defender + MalwareBytes and you should be good.

  • Adondriel

    You COULD do that… but that’s a lot of work.

  • Darryl

    Hardly any, actually. Just the inconvenience of keeping a secure list of certain passwords (FB, LinkedIn and a couple others). I have a VMware lab on one hand and a VBox research setup. OTOH I read somewhere that the VM would be just as vulnerable.

  • St8kout

    Hmm, why are my posts disappearing? I’m only trying to warn about your computers also needing firmware updates, not just software updates.

  • St8kout

    Intel has a detection tool to see if your motherboard is vulnerable, but it looks like my posts vanish when I include the link to Intel, so you’re on your own to try and find it on Intel’s site.

  • B Campag

    Windows Update installed patch kb4056892 and I have obtained the ME fix from Acer for this PC. Do I need to apply the ME fix or does the Windows solution make it redundant? Also, is the MWB fix included in the regular updates or does it require a new program version? (3.3.1 is what I have currently).

  • Arshad Mohammed

    Is there is any program to detect Meldown and spectre? If not is it possible build up a program to detect the malware ,I mean a log file,not like traditional log file, with some conditions to detect the Meltdown and spectre?. To find weather does it attacks to my PCs.I notice that they used a low level language to attack to the processor, What type of malware is this ?

  • Hopper15

    Disagree. Avast and Malwarebytes is still a pretty good tandem. Windows Defender’s detection rate is also a lot lower than Avast.

  • Yoke Bin

    If the OS does not installed with Antivirus, is it necessary to set below registry then only the patch working even it is installed successfully? ?
    Key=”HKEY_LOCAL_MACHINE” Subkey=”SOFTWAREMicrosoftWindowsCurrentVersionQualityCompat” Value=”cadca5fe-87d3-4b96-b7fb-a231484277cc” Type=”REG_DWORD”
    Data=”0x00000000”

    Or as long as the patch installed successfully as seen in Windows Updates history means that it is working?

  • Joe Oconner

    “However, a patch for the Meltdown variant has already been rolled out on Linux, macOS, and all supported versions of Windows.”

    This is extremely misleading. A MacOS patch has ONLY been rolled out for 10.13 (High Sierra).

    10.12 and below do not have the security update. If I am wrong, correct me please.
    High Sierra is still iffy in certain professional settings, so it’s insane that they haven’t offered a security update for other versions.

  • Catalin Cretu

    If I updated my motherboard Bios version to the latest available on manufacturer site , am I vulnerable to those attacks ??? All my drivers are updated to latest version and have a good antivirus 😉😀, Please reply!

  • Catalin Cretu

    Avast is very you good if you set it to highest and also has Boot Scan that search viruses before Windows loads😉 !

  • If you’ve also applied the latest Windows updates and running Windows 7 and above you’re mostly covered indeed.

  • TuckerdogNC

    I have a question regarding Malwarebytes and can’t find the answer. I
    have it installed “on the computer” shows up in the top of my mac
    computer. Do I need to download and install malwarebytes on Safari,
    Firefox and Chrome? Or is this one install good enough?


Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language