![]() ![]() You can find more details on CERN’s strategy regarding Spectre and Meltdown here.ĭo you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.Two distinct vulnerabilities dubbed Meltdown and Spectre potentially affect almost every system 1. Or, if you can’t, don’t connect them to the Internet or allow just anyone to access them. And keep an eye on your embedded devices. Use the standard (automatic) update mechanisms of Windows, Linux, Mac, Android or iOS devices. Raise the bar! Make sure that all your systems are automatically updated when your hardware or operating system provider issues new fixes. A feast for security agencies and criminals, a pain for those of us responsible for defending our IT systems… The next generations of Spectre and Meltdown may be more intrusive and easier to exploit, and may not quickly become public knowledge. As with past scares of this nature, the focus of security research and the way in which the vulnerabilities are exploited will change! Think of the POODLE SSLv3 vulnerability found in the aftermath of the Heartbleed OpenSSL vulnerability: Spectre and Meltdown are probably just the first known vulnerabilities linked to exploiting hardware weaknesses. And, as a result of all these things, this may be just the beginning. However, so far no reports have confirmed whether or not this has actually happened. This may mean that people with malicious intent were already exploiting these vulnerabilities long before they became public knowledge. Thirdly, Intel and probably others have allegedly known about these vulnerabilities for a while. But there is no need to panic (yet), as newer fixes might correct that, too. Secondly, there are fears that applying the current fixes will naturally slow down any computer: depending on what your computer is used for, reported performance drops vary between a few per cent and up to 30%. So we may end up with many embedded devices that will never receive a fix for Spectre or Meltdown. While the most recent and popular chip sets will receive fixes in a timely manner, other hardware might not: think of your computer’s BIOS, or your Internet-of-things device (see our Bulletin article “ IoTs: The treasure trove of CERN”). First of all, and most problematic so far, the fixes greatly depend on your computer’s hardware, i.e. Hence, while proofs of concept do exist, no systematic exploitation of either Spectre or Meltdown has yet been reported. ![]() Therefore, any extraction process would be slow, cumbersome and not straightforward. Fortunately, the memory does not come with a big sign saying “Password here!”. Technicalities apart, abusing Spectre or Meltdown allows an attacker to download the contents of the memory from your device and dissect it offline to extract your passwords, private SSH keys or certificates, or any other juicy information. Spectre is much more difficult to successfully exploit than Meltdown, as its attack surface is limited to user space processes, such as web browsers and desktop applications. This includes computers, tablets and smartphones made by Apple, Microsoft, Dell, HP, Google and Lenovo, among others. Unlike Meltdown, Spectre is known to affect Intel, AMD and ARM processors. Spectre is similar, but allows an attacker to use a CPU's cache channel to read arbitrary memory from a running process. This includes computers by popular vendors such as Apple, Microsoft, Dell, HP and Lenovo. This vulnerability has been confirmed to exist in all Intel processors produced since 1995, except for Intel Itanium and Intel Atom before 2013. ![]() In technical terms, Meltdown breaks down the boundary that prevents user applications from accessing privileged system memory space. Let’s see why this is bad and why it may become worse in the future… Both, in their own way, allow any local user to access a system’s memory and misuse the contents for malicious purposes. The beginning of the year has been dominated by two security vulnerabilities, known as Meltdown and Spectre. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |