By Rob Meyers, Director Of Systems Architecture, MCITP, MBSP, MCSE
By now you’ve probably seen the news. There are exploits due to some flaws in CPU or processor design. They’re called Meltdown and Spectre. The number one issue that the industry is seeing with these exploits is very simple: they are based on a fundamental design used in most microprocessors.
Please note that all the major manufacturers are rapidly working on solutions to solving this exploit, from a software perspective. This does not mean it will be 100% fixed immediately.
What is it?
A new technique was found to inject or remove data from RAM. This is done by utilizing a flaw in microprocessors. This flaw is based on the concept that a microprocessor utilizes speculation to accelerate its performance. It splits the instructions between the cache on the CPU and RAM. As time goes on it trades out pieces from RAM into the cache and then clears out the cache. This is done speculatively in order to speed things up. Yes, your CPU guesses what it needs to do next. If it is correct, the CPU moves on to the next instruction, and if not it guesses again. This is the source of the vulnerability. This export allows things to either be retrieved from the cache, injected into the cache, or read directly from memory. Oddly enough with two names, Meltdown and Spectre, there are actually three exploits.
When did this occur?
These exploits were documented in June and July 2017. They were not made public until this week.
Who is using the exploits?
When export is used for malicious intent, it is referred to as being used in the wild or found in the wild. As of yet this is not being found in the wild. However, the techniques and technology required behind it and example code has been found on public websites. The reason for this is that after six months people felt that something should be able to be done about it. However, not everything is ready to go at this point.
How does this affect me?
This is one of the most extreme vulnerabilities ever found on a computer. This affects most computers built from 1995 to today. If you have a current operating system on your computer, you should be able to be patched to protect yourself against this. However, if your system is not up-to-date, not under support, or cannot get patches, you need to upgrade and patch. As of right now, it would be normal to consider defending yourself against this patch. We do not know when this will hit the wild, or if it already has.
The impact is going to be felt on most computers made since 1995 in addition to most modern cell phones (e.g. iPhone and Android), tablets and even smart watches. Currently there is disagreement as to whether the Apple Watch is impacted, though the more technical responses seem to believe it is.
Will there really be a performance impact?
Intel, Microsoft, Google, Apple, AMD, and a huge plethora of coders throughout the world are currently working on solutions for this. The current solutions can have drastic impact on performance. For a workstation it is normal to see 2% to 3% degradation, although more has been experienced. Servers can expect to see a performance hit that is significantly higher. The average consensus seems to be about 30% impact on traditional servers, however the range has been noted between 17% and 50%.
In our testing, the impact on a computer running Windows 10 (1709) was noticeably impacted. It did not however render the computer inoperable, simply slower with a little more lag.
What should I do?
You will see some websites simply recommend throwing away your microprocessor. Obviously, this is not realistic. In general, you should consider two things. The first is patch and accept that there will be a performance impact. The second is to work on regularly changing your password (at least once a month, if not more often). When large exploits are public, it is better to usE throwaway passwords then expect to be protected when you may not be.
What is Managed Solution doing?
For all of our Managed Service clients
1. Monitor released patches (Meltdown is the current focus with Spectre more patches will be expected over a course of time)
2. Test released patches
3. Patch or work with clients to patch systems
4. Recommend that all users change their passwords at least once per month
Do you have any news links or anything in the public for this?
Do you have anything a bit more technical?
Then for Spectre:
Spectre – Variant 1: bounds check bypass (CVE-2017-5753)
Spectre – Variant 2: branch target injection (CVE-2017-5715)
Meltdown – Variant 3: rogue data cache load (CVE-2017-5754)