By now, you've heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre. The only common platform that seems unaffected as of the current moment are iPhone/iPads (Removed per recent advisory).This bug is probably worth its name and logo considering the pervasive nature of the vulnerability. At its core, both involve kernel issues that can lead to leaking running memory outside the current process which can involve compromises of system confidentiality (think encryption keys, passwords, PII/NPI in memory, etc). Contrary to some initial reporting, this is NOT just an Intel bug, it affects AMD and ARM processors as well. These could even be used in cloud / virtualized environments to leak memory outside the running virtual machine. It involves a flaw in "speculative execution" common in these processors where, in the right conditions, code can trick the processor in leaking data returned from other applications.

Below are advisories of most of the relevant companies. The patches should be considered preliminary to protect against the most obvious paths to this vulnerability, but future patches are likely planned to deal with the potential significant performance hits from these patches and for better mitigation coverage. Spectre, in particular, will require follow-on patching. Due to the nature of these patches, reboots will be required. So in the short term, patch and reboot everything.

The good news is patches are out for almost everything (Microsoft has moved up their monthly patching up a week to today, more on that in a different post). The bad news is, Spectre, in particular can't be completely mitigated by patching as it seems it will require a hardware fix. The good news is that Spectre is harder to exploit.

Firefox's initial testing has shown it is possible to trigger these flaws remotely via web content, so devices that browse the web or execute external content are particularly vulnerable (in particular, malware sandboxes are of a concern to me here which by design are unpatched operating systems). Otherwise, you have to find some way to execute code on the victim machine. The bad news is, the fixes can slow down your devices with some initial (disputed) reporting of an up to 30% performance hit to the CPU.

IoT devices are, again, of particular weakness. They run these same processors but as we know, most consumers never use whatever limited interface to update the devices even when it is necessary, and in this case, more than one update cycle may be required. The best mitigation may be to put these devices in the snow in the street in front of your house and let the plows take care of them. For most IoT devices, getting code running on the device that exploit these flaws will be non-intuitive but that will vary by device. My biggest concern is that someone uses this vulnerability in a controlled environment to find flaws in specific IoT devices (or even default passwords), to create the next Mirai.

So while the advice is "patch now", the problem we will be grappling with is the performance hits (this will be brutal for cloud vendors especially if it's on the scale of 30%) and the follow-on disruptive patching this will require in the coming months.

No known exploitation for this is occuring in the wild, but that will change in the next few days. This dairy will be updated as the situation warrants.

UPDATE 1536 UTC (Bambenek) - Microsoft is actually filtering systems that have not certified compatability with the updates, that means if you are running an anti-virus / endpoint product Microsoft have listed as "safe" you will not get the update. This is designed to prevent BSOD issues. Working on trying to find a good listing of which products are "safe" or not.

UPDATE 1625 UTC (Bambenek) - Microsoft is only releasing the update for these vulnerabilities early, and then only for a partial subset of Windows Operating Systems.

UPDATE 2017-01-05 1700 UTC (Bambenek) - Added Apple advisory, iPhone/iPad devices are affected via Safari/web-browsers.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity