So just a few days into 2018 and the news wires are ablaze with the revelation that a bunch of researchers have identified issues in a huge number of processors which allow carefully crafted programs to read the contents of supposedly protected memory.
As with all proper vulnerabilities these new nasties have got names and cute logos: Meltdown and Spectre. Regular readers will know how we all love a vulnerability with a name and a logo.
If you want to read the full gory details, follow this link and download the papers, which are extremely interesting, honest. The long and short of it is that the researchers have used features of CPUs to sneakily read memory that should be hidden.
Meltdown uses CPU functionality called ‘out-of order execution’, and Spectre uses ‘speculative execution’, the general theme being that when the processor is performing these actions, it is outside of direct control from a program and therefore security checks are non-existent. Having tricked the processor into reading some protected memory, the rogue program can read the recovered contents because by default they are not cleared.
Whilst Meltdown is Intel specific, Spectre also affects processors made by AMD and ARM. The vulnerabilities affect chips going back 15 years or more, whoops.
The potential for these so called ‘side-channel’ attacks to be used to steal passwords, crypto keys, pretty much anything really, is very real. There is sample code in the Spectre paper and researchers the world over are knocking out ‘proof of concept code’. Here is our favourite.
Pretty much all systems that allow users to install and run programs are at risk until they are patched and, as usual, we recommend that you patch your systems as soon as you can because now this stuff is out in the open you can be fairly sure that Ernst Stavro Blofeld, Kim Jong-il, Professor James Moriarty and the like will be reaching for the C Compiler. Apart from Moriarty, he writes machine code in binary using nothing but switches.
Amazon Web Services and Azure have remediation programs in place – in fact AWS are pretty much done. Please follow their shining example and get on with it as soon as patches become available. There is little else one can do other than keep calm and carry on. Our friend Graham Cluley recommends having a tea or coffee we will settle for a beer and a couple of valiums.
Probably just a spooky coincidence that the James Bond film Spectre was aired on ITV this week. We couldn’t help thinking where 007 and his sidekick Dr Madeleine Swann kept all of their changes of clothes? Louis Vuitton product placement people are missing a trick.
ITC has published an advisory notice to our customers, which we will continue to update and augment over the coming days. We will also be discussing this and loads of other super interesting topics at our annual security conference ‘Safe and Secure’ which is being held on 31st January at The Banking Hall. If you would like a copy of the advisory or want to come to the event, which will be epic, please contact us at: [email protected] or call 0207 517 3900.
Meanwhile, Don’t Panic and know where your towel is.