The tech world was rocked at the dawn of the new year with the announcement of the Meltdown and Spectre vulnerabilities. The blogosphere is brimming with information and suggestions on what you can do to help mitigate the risk these vulnerabilities cause in every device with computing power. Affected devices include desktops, laptops and thin clients, tablets and even your cell phones. And no manufacturer, OS or deployment is immune. So what exactly are these vulnerabilities and what can you do to help secure your information against these threats?
What, exactly, is Meltdown and Spectre?
Let’s start with information directly from the source:
“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. “
While both vulnerabilities give the unauthorized program or user access to sensitive data, the way this occurs is different.
Meltdown essentially “melts” the protective walls between applications and the operating system of the device, allowing access to the memory and the secrets stored there. Meltdown is relatively easy to mitigate with software patches.
Spectre is a bit more daunting, as it breaks down the inherent barriers between applications on the system. An attacker who exploits Spectre can trick error-free programs (such as password managers) into divulging the secrets stored (passwords.) Spectre is harder to initiate but is also harder to mitigate. Software patches are available to strengthen a systems ability to fend off this attack, but some have theorized that the only truly secure way to mitigate this risk is to update the hardware.
We wouldn’t blame you for being overwhelmed, or confused about what exactly these exploits are and how they can affect you. Red Hat gives a very good and detailed example in their blog post from earlier this month.
In it, Red Hat describes “speculative execution” with the analogy of a coffee shop. A barista has noticed that one particular customer who comes in frequently always orders a specific cup of coffee, so when the barista sees this individual come in the door, she begins to prepare the drink. The barista does this to reduce the customer’s wait. And as common practice in this coffee shop, barista’s write the name on the cup of the individual it was prepared for. But say this customer comes in and changes his regular order for something new. Now the barista has to throw the cup, with the name on it, in the trash and now available for anyone to see the information on the cup and possibly the contents of the cup. This is “speculative execution.” The barista makes an educated guess on what the customer will order based on previous behaviors in an effort to save time for this customer.
Computer processors have a similar process with fancy algorithms that determine what the likely results will be of a program’s behavior. If something happens that is out of the norm, the processor then has to trash the initial speculative results (the usual coffee order) and run the alternative behavior (the new coffee order.) Meltdown and Spectre allow hackers to gain access to this source code and the discarded information and can use it to cause the system to execute code sequences that normally would not have been triggered.
What’s a person to do?
One of the first things to be done is to update the operating system from the appropriate vendor (Windows, iOS, Linux, etc.) as all have worked hard to get patches installed to help mitigate the risk. The National Cybersecurity and Communications Integration Center (NCCIC) has compiled a comprehensive list of patches published and is a great resource to start.
Additionally, users are advised to follow appropriate security protocols and to not open links from or share sensitive data with any unknown source. As this is a new and entirely different class of risks, best practices and advice may change over time and users should pay attention to new updates and hotfixes from their vendor.
How dinCloud is mitigating the risk from Meltdown and Spectre
dinCloud is committed to helping our customers with the security of their virtual environment. As such, we will be sending each customer an email with information on how you can implement the updates and patches from Microsoft to ensure your systems against these new security exploits and our support team is available to help. Please feel free to reach out to them for any questions regarding your virtual desktop deployment.