Meltdown and Spectre attacks mitigated by operating system updates

Posted by   Martijn Grooten on   Jan 4, 2018

We wish all our readers a very happy and very secure 2018!

The latter part will not come without some serious work though. We are not even four days into the new year and we have already learned of two major proof-of-concept attacks affecting a very large number of processors, forcing operating system developers to release emergency patches.

The attacks, named Meltdown and Spectre, break down barriers between user mode and kernel mode and between different processes running on the same device, allowing a rogue process (which could be triggered by a website) to access memory that it shouldn't have access to.

spectre_logo.png meltdown_logo.png

Apart from the official website meltdownattack.com, which includes two research papers, there is also a detailed blog post about the attacks by Jann Horn of Google's Project Zero, one of the researchers who discovered them, while for a more easily accessible overview of how the attacks work and how they're related to a CPU feature called 'speculative execution', I found this blog post by Sophos's Paul Ducklin a very good read.

Though the attacks are serious, it is too early to predict the impact they will have in the real world. On the one hand, in the coming days and weeks researchers will no doubt find new ways in which they can be used, for example by chaining them with other exploits to get some really impressive results.

On the other hand, reading arbitrary snippets of memory tends to be hard to weaponize, especially at scale. It is worth remembering that one of the worst vulnerabilities of this decade, Heartbleed, which also involved reading arbitrary memory (though was otherwise unrelated), was never exploited at scale and rarely used in the wild. Information disclosure vulnerabilities in themselves don't allow someone to execute code, which means they are not particularly attractive to most attackers.

It is thus wise not to panic but, as always, patching is important and, thankfully, the issue can be mitigated at the software level: most operating systems have already rolled out patches. Cloud providers, such as AWS and Azure, have rolled out patches throughout their networks too.

These patches don't come without a cost though. Firstly, as the attacks exploit a method that makes processors run faster, the mitigation could potentially slow down performance. Though initial reports suggested that this performance hit could be as much as 50 per cent, Microsoft reports that it is seeing no CPU impact to Azure instances after rolling out patches.

Secondly, Microsoft has found that some anti-virus software is incompatible with the patch, as it makes 'unsupported calls into Windows kernel memory', which could cause blue screens of death and could even make the machine unable to boot.

To prevent this from happening, Microsoft has asked anti-virus vendors to set a specific Windows registry key to test compatibility of their product with the security update; the updates will not be installed unless this registry key is set. Users who do not run anti-virus, or who are certain the product they use is compatible with the latest Windows update, can set this key manually.

Microsoft does not state which anti-virus products it found to be incompatible. For now, I would be hesitant to conclude that the fact that a product hasn't set the registry key means that it isn't compatible; it may simply indicate some extra testing. Microsoft says it is working closely with all anti-virus vendors to resolve the issue.

Without seeing details of the unsupported calls, it seems unfair to comment on this behaviour. However, there has long been a trend for anti-virus software to become an integrated part of the operating system rather than a 'hack' on top of it. This would seriously reduce the need for such unsupported calls.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 paper: Domestic Kitten: an Iranian surveillance program

At VB2019 in London, Check Point researchers Aseel Kayal and Lotem Finkelstein presented a paper detailing an Iranian operation they named 'Domestic Kitten' that used Android apps for targeted surveillance. Today we publish their paper and the video…

VB2019 video: Discretion in APT: recent APT attack on crypto exchange employees

At VB2019 in London, LINE's HeungSoo Kang explained how cryptocurrency exchanges had been attacked using Firefox zero-days. Today, we publish the video of his presentation.

VB2019 paper: DNS on fire

In a paper presented at VB2019, Cisco Talos researchers Warren Mercer and Paul Rascagneres looked at two recent attacks against DNS infrastructure: DNSpionage and Sea Turtle. Today we publish their paper and the recording of their presentation.

German Dridex spam campaign is unfashionably large

VB has analysed a malicious spam campaign targeting German-speaking users with obfuscated Excel malware that would likely download Dridex but that mostly stood out through its size.

Paper: Dexofuzzy: Android malware similarity clustering method using opcode sequence

We publish a paper by researchers from ESTsecurity in South Korea, who describe a fuzzy hashing algorithm for clustering Android malware datasets.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.