Meltdown and Spectre – The Gifts That Keep On Giving

It’s been some time since the news of the Intel processor vulnerabilities dubbed Meltdown and Spectre broke. We wrote a blog on the initial disclosure and subsequent press frenzy on January 4th, and an update on January 9th covering additional aspects of the fallout. In the last month and a half, the news coverage has been slow and steady with many aspects flying under the radar. While many vulnerabilities with a patch may be out of sight and out of mind, the problems with these patches continue to roll in.

General

Since the disclosures, Intel has come under increasing fire and direct questions. Last month The Register tore into Intel on Twitter in a thread charging them with lying to just about everyone.

This turned out to be the least of their worries, as the chairman of the House Energy and Commerce Committee, Greg Walden from Oregon, voiced concern that China had knowledge of Meltdown and Spectre before the U.S. government. This concern comes after the Wall Street Journal reported that Intel shared the vulnerability information with several companies, including some from China. According to SC Magazine Waldens’ committee sent a letter to Intel among other companies on January 24th, asking them “to explain their actions that lead to the public disclosure of the flaws taking place six months after Intel was informed”. Intel replied to the letter saying “it abided by standard industry practices in how and when it disclosed the Spectre/Meltdown vulnerabilities in its processors”.

In our second blog, we gave some details that showed that these vulnerabilities were not exactly new under the ‘Disclosure History Addendum’ section. The prior work was thought to go back to 2005 based on discussions at the time. Trammell Hudson pointed out that the foundation of Meltdown and Spectre, speculative execution, was called out in a 1995 paper titled “The Intel 80×86 Processor Architecture: Pitfalls for Secure Systems“. It should be no surprise that Meltdown and Spectre are thought to be the tip of the iceberg, with additional platforms and vulnerabilities likely to be affected. In fact, talk of new variants are already making the rounds with names such as MeltdownPrime, SpectrePrime, and Prime+Probe. Finally, for those who enjoy the challenge of defense, AMD is looking for help!

Skyfall & Solace

Around January 17, after the wave of press and fear around Meltdown and Spectre, word started spreading of more chip vulnerabilities dubbed Skyfall and Solace. A website was created for them with a vague and but menacing warning that details would be published soon.

Five days after launch, after a considerable amount of speculation and panic, along with a healthy dose of skepticism, the site was updated to explain the teased vulnerabilities were not forthcoming, and just a hoax. The new message tried to warn of the dangers of going to unknown sites, saying that it could have hosted malware or a 0-day. The ‘lesson’ imparted came across as naive and simplistic to some, and labeled as ‘attention seeking’ by others. It should also be noted that this ‘Skyfall’ attack has nothing to do with the 2001 attack under the same name.

Legal

As we started to cover in the last blog, the legal action over Meltdown and Spectre is certainly interesting and likely to change the narrative on vulnerabilities and liability to some degree. After the first wave of lawsuits against Intel, AMD found themselves facing their own class-action lawsuitover false and misleading statements”. That quickly turned into at least four class-action suits against AMD. In the same theme, Apple found themselves on the receiving of a class-action lawsuit filed in California, accusing them of not keeping products as secure as they advertised. These lawsuits, regardless of disposition, will be important in legal circles as it further establishes that advertising security may have repercussions. On the back of the 2013 FTC action against TRENDnet camera vulnerabilities, that was based on claims in “numerous product descriptions that they were ‘secure’”.

In addition to the disputed claims of security from Intel, at least one class-action lawsuit also brings up that Intel’s CEO, Brian Krzanich, sold millions of dollars of shares after Intel was informed of the vulnerabilities, but before they were publicly disclosed. In addition to the 30 or more lawsuits currently pending, Krzanich is not facing a fun year ahead.

Detection & Testing

As patches continue to roll out and organizations still work on deploying them to the vast majority of systems, more information and methods for detecting the vulnerability have come to light. For example, Cody Pierce has written an article about using hardware performance counters to detect the attacks. Anders Fogh also pointed out that his proof-of-concept for detecting cache side-channel attacks from BlackHat Briefings 2015 also detects the Meltdown attack, reminding us again that the foundations for this attack and defense pre-date Meltdown’s disclosure.

Matt Miller pointed out that Microsoft has released Powershell tools that can query the status of Windows to determine if the mitigations for two of the vulnerabilities are in place. On the flip side, more and more proofs-of-concept are being released that demonstrate the attacks, if your mind leans toward the ‘red’ side. Even worse for the ‘blue’ side, it has been reported that exploitation can bypass Intel’s SGX defenses and be used to snoop on enclaves.

Impact, Patches, and More Failure

Patches to mitigate Meltdown and Spectre from vendors have been problematic to say the least. In addition to what was covered in our prior blog, there has been a steady stream of patches that are causing serious issues for customers. We’ve put together the below round-up of some of the articles covering this mess, for those that want to read further. A brief sampling of the news makes it clear that administrators are not having a good time as they continue to try to mitigate for Spectre and Meltdown – and this comes on top of their usual work of keeping systems patched and up to date. We’ll continue to monitor this story as it develops.

  • 2018-01-04 – Meltdown: the latest news on two major CPU security bugs (The Verge)
  • 2018-01-07 – Measuring OS X Meltdown Patches Performance (Reverse Engineering Mac OS X Blog)
  • 2018-01-08 – Important information about Microsoft Meltdown CPU security fixes, antivirus vendors and you (Double Pulsar)
  • 2018-01-08 – More stuff broken amid Microsoft’s efforts to fix Meltdown/Spectre vulns (The Register)
  • 2018-01-09 – Meltdown, Spectre bug patch slowdown gets real – and what you can do about it (The Register)
  • 2018-01-09 – IBM melts down fixing Meltdown as processes and patches stutter (The Register)
  • 2018-01-09 – CPU bug patch saga: Antivirus tools caught with their hands in the Windows cookie jar (The Register)
  • 2018-01-10 – Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers (Bleeping Computer)
  • 2018-01-10 – Intel, Microsoft confess: Meltdown, Spectre may slow your servers (The Register)
  • 2018-01-10 – IBM’s complete Meltdown fix won’t land until mid-February (The Register)
  • 2018-01-10 – A mess of Microsoft patches, warnings about slowdowns — and antivirus proves crucial (Computer World)
  • 2018-01-12 – Intel’s Meltdown fix freaked out some Broadwells, Haswells (The Register)
  • 2018-01-15 – Now Meltdown patches are making industrial control systems lurch (The Register)
  • 2018-01-15 – Google claims its Spectre patch results in ‘no degradation’ to system performance (The Inquirer)
  • 2018-01-18 – Intel Claims 90 Percent of Affected CPUs Have Live Patches Just as Rumors of New Attacks Arrive (Gizmodo) [90%, really?! – RBS]
  • 2018-01-21 – RedHat reverts patches to mitigate Spectre Variant 2 (Ghacks)
  • 2018-01-22 – Intel advises companies to stop installing Spectre/Meltdown update (SC Magazine)
  • 2018-01-22 – Meltdown/Spectre week three: World still knee-deep in something nasty (The Register)
  • 2018-02-22 – Here We Go Again: Intel Releases Updated Spectre Patches (Bleeping Computer)
  • 2018-01-23 – HP Reissuing BIOS Updates After Buggy Intel Meltdown and Spectre Updates (Bleeping Computer)
  • 2018-01-23 – Dell Advising All Customers To Not Install Spectre BIOS Updates (Bleeping Computer)
  • 2018-01-23 – Intel Halts Spectre/Meltdown Patching for Broadwell and Haswell Systems (ThreatPost)
  • 2018-01-26 – Intel’s 9th-generation ‘Ice Lake’ CPUs will have fixes for Meltdown, Spectre (Digital Trends)
  • 2018-01-30 – Microsoft rushes Spectre patch to disable Intel’s broken update (Tech Target)
  • 2018-02-09 – VMware sticks finger in Meltdown/Spectre dike for virtual appliances (The Register)
  • 2018-02-14 – Microsoft’s compiler-level Spectre fix shows how hard this problem will be to solve (Ars Technica)
  • 2018-02-28 – Intel Releases Updated Spectre Fixes for Broadwell and Haswell Chips (ThreatPost)