Meltdown and Spectre, everyone is vulnerable

Last week there was a lot of news coverage on two major vulnerabilities which were discovered in today’s processors by Google’s Project Zero. These have been given the names Meltdown and Spectre. The first mainly affects Intel processors, the second also affects AMD and ARM (mainly used in mobile phones, tablets and IoT devices).

Meltdown en Spectre, what do they do

Meltdown en Spectre, iedereen is kwetsbaar

Due to choices in the design of processors, it is possible to access parts of the memory that you normally can not access. This can be done by abusing the way processors process the commands. The difference between the two vulnerabilities is that Meltdown allows the reading of core memory, whereas Specter does this for processes.

Solutions in hardware and software

Intel has indicated that it will quickly solve the problems with the hardware by releasing new firmware. This will in many cases have to be deployed by updating the BIOS. This is a difficult, technical matter. Fortunately, all major suppliers of operating systems also do their part. They release updates that will automatically be installed in most cases. Microsoft, Apple and the developers of the Linux kernel have already responded to these vulnerabilities. In addition, developers of other software also offer additional security measures. For example, measures have been taken in Firefox version 57 and Chrome version 64.

Performance loss after solutions

The vulnerabilities abuse techniques that improve performance. That is why the solutions will have an impact on it. Some developers predict a performance loss from 5% to 30%. Others report that it will not be noticeable daily use. Software performance depends on many factors, especially the way it is utilized. That is why the difference will be disparate for everyone and it will have to be proven in practice.

Vulnerability of 1A-servers (on-premise and cloud)

We take reliable security very seriously. That is why we immediately dove into the matter. Fortunately, it turned out that these serious bugs can only be abused if code is executed on the system itself. As a result, the susceptibility to abuse of Meltdown and Specter on the 1A-server is very small. Nevertheless, in the context of preventing is better than curing, for Meltdown we will soon update all 1A-servers. However, a restart is required for this. For Specter there is still no adequate solution available, since the matter is quite a one. When new solutions are available, they will be tested and rolled out as soon as possible.

Author

Richard de Vroede

A perfectionistic Jack-of-all-trades who dedicates all of his passion to his work.

Facebooktwitterlinkedin

Facebooklinkedinrssyoutube