What is the problem?
It is essentially a hardware design mistake, and it affects a huge number of devices and systems, from all of the major manufacturers, in theory dating as far back as 1995.
In the worst case it might allow stealing of passwords and security keys. Once a sufficiently important key has been stolen, all data on the affected system is then at risk.
Whether or not this can be exploited depends on many different things, including the make and model of device or system, and how it is being used by its owner.
The affected hardware cannot be repaired to remove the flaw, but recent products can be patched, so that the flaw cannot be exploited.
There are two generic ways to attack a CPU1 with this problem. One, code named Meltdown, is relatively simple to do, and relatively easily patched against. The second, code named Spectre, is much more difficult to exploit (but also hard to patch). Spectre affects more chip designs from more manufacturers than Meltdown.
Technical details of both exploits are available from https://meltdownattack.com
In both cases, it will still need one of the common attacks by criminals to succeed, in order to allow their code to run on a target system. These are some of them:
- phishing emails (see “Phishing, spear phishing and whaling” post)
- hijacking of websites to deliver concealed viruses to visitors,
- A “Trojan horse”: otherwise innocuous software, containing malicious code that is installed and run,
- compromised physical security (authorised users loading viruses, either deliberately or unknowingly).
Presently, there are no anti-virus tools that we know of to recognise malicious code specifically trying to use Meltdown and Spectre, BUT the tools we recommend to clients WILL detect the necessary malware delivery systems (and thus indirectly block exploits).
Chip manufacturers have been aware of both Meltdown and Spectre for some time. They are developing and testing patches for their products, but news of the issue reached the mainstream media (i.e. was leaked) before their work was finished. Firmware and microcode2 updates will be released over the next few days and weeks, as the work completes the necessary testing stages.
What do you need to do about Meltdown and Spectre?
At the time of writing (4th January 2018) there is very little you can or need to do yourself to protect specifically against this vulnerability. That said, obviously there are a number of common activities on desktop systems and mobile devices that need special caution:
- when dealing with all confidential data,
- when opening unexpected or otherwise suspect emails, and
- when browsing the web.
For privately-owned devices and computers, the major manufacturers are releasing security updates as a matter of priority: Apply any official security updates as soon as they are offered.
As of this morning (5th January 2018) there are reports of some incompatibilities between Microsoft’s Windows patch and some desktop anti-virus software. Check very carefully with both your operating system and anti-virus vendors (and obviously your IT support company, if you have one), before proceeding.
Cloud-based services are affected, too. Suppliers are applying patches to their systems as a matter of urgency: you might experience brief interruptions to your cloud services if these need to be restarted by the service provider.
What is Bristol IT Company doing?
We are monitoring this rapidly-changing situation very closely. For servers, infrastructure and PCs we support, we will install recommended patches as soon as they are publicly available.
The exact process will vary by individual client, as it will greatly depend on the hardware and operating system in use, and how these are being applied in the business.
As always, we will keep disruption to an absolute minimum.
What will happen in the long term?
As we said above, the hardware design problem cannot be fixed, however there may be firmware updates released by manufacturers to prevent this weakness being exploited.
For systems where firmware updates are impossible, replacement of the CPU may be necessary, and for a few, older systems, total protection may prove impossible—for these replacing the hardware entirely will be the only safe course of action.
Presently (early January 2018), this detail is not available to the IT support community from the CPU manufacturers.
We will, of course, advise our clients as soon as the situation becomes clearer.
 CPU = Central Processor Unit, the chip at the heart of any modern mobile device or computer system. There are several brands, but common features in the way they operate. It’s one of these common features which is flawed.
 Firmware and microcode are special types of software, used to manage how the hardware parts of a computer (its chips mostly) work with the rest of the system. They are part of the computer itself (you usually can’t buy them separately), and not easily accessible to ordinary users.