The two flaws represent three variants of a memory bounds vulnerability affecting several processor classes and manufacturers, Advanced Cyber Security Center (ACSC) executive director Michael Figueroa explained by email.
“They essentially exploit an architectural vulnerability where the processor is allowed to act on instructions stored in memory without any check that the instructions are legitimate and within bounds,” Figueroa said.
“Researchers have essentially found a way to inject malicious instructions into the memory stack and change pointers in the stack to trick the processor into executing them,” he added.
The Guardian reports that Intel has been hit with three separate class action lawsuits filed in California, Indiana and Oregon in response to the disclosure — Spectre affects a wide range of different processors, but Meltdown primarily impacts Intel processors made after 1995.
“The security vulnerability revealed by these reports suggests that this may be one of the largest security flaws ever facing the American public,” plaintiffs’ lawyer Bill Doyle said in a statement. “It is imperative that Intel act swiftly to fix the problem and ensure consumers are fully compensated for all losses suffered as a result of their actions.”
Understanding the Threat
Recorded Future security architect Allan Liska noted in a blog post that the flaws present a particular threat to cloud services, since segmentation of those services could be disrupted by exploiting the flaw.
In response, Google, Amazon and Microsoft have already issued emergency patches for their cloud services. “Because cloud providers are particularly susceptible to Meltdown and Spectre, it is recommended that customers reach out to their cloud providers to understand what their mitigation plans and timetables are,” Liska wrote.
And since there’s no way to detect these attacks, Liska noted, the best way to mitigate the threat is to patch as quickly as possible. Apple and Microsoft have already released patches for macOS High Sierra and Windows, and the maintainers of the Linux kernel are in the process of doing the same. The fixes will likely cause significant performance slowdowns on older Windows and Linux machines.
“Keep in mind that this is a new type of vulnerability, something we haven’t seen before,” Liska wrote. “There is a lot of speculation that threat actors can build upon this work to discover new and even more dangerous vulnerabilities. It could take months to determine if this is a blip or the start of a new class of threat that defenders have to address.”
Patch management is a critically important tool for staying on top of fixes for vulnerabilities like Meltdown and Spectre.
Optiv vice president of strategy, risk and compliance Michael Lines said Meltdown and Spectre should serve as a reminder of the importance of having ongoing risk assessment and threat and vulnerability management (TVM) processes in place as part of a robust security program.
“These flaws are going to bring a lot of ‘doom and gloom,’ but organizations’ ability to react in an efficient and predictable way is what is most critical,” Lines added. “Don’t panic, prepare a rational plan based on patch availability and system sensitivity, execute your plan, and monitor progress.”
CyberGRX CEO Fred Kneip said it’s crucial for enterprises to keep third party providers in mind in assessing the need for patches. “Past mega attacks such as WannaCry and Petya were much worse because companies failed to apply available patches in a timely manner,” he said.
“In addition to patching their own systems, it’s just as important for enterprises to understand the patch management controls of all their third parties — including vendors, partners, customers and divisions of their own companies — in order to thoroughly mitigate the risk of any future exploits of the Meltdown and Spectre vulnerabilities,” Kneip added.