Steve Smith talks about Meltdown, and Spectre, data acquisition vulnerabilities, what they are, how it relates to you, and why the panic being pushed by media is not wholly warranted.
Episode #8-20 released on January 7, 2018
Today, we have some new topics to talk about, notably Meltdown and Spectre, Spectre being two similar vulnerabilities grouped together.
First, let us talk about Meltdown. Meltdown, is a vulnerability that exists outside the operating system, at the hardware level mostly affecting Intel x86-x64 Microprocessors, and some ARM-based microprocessors. It may allow any process to read physical, kernel, or other information in processes mapped in memory, even if that specific process should be unable, or not allowed to do so. This may mean nothing to most people, but this is dangerous. This, however, would require a compute r to both be subjected and unpatched to this vulnerability and, also, be infected with a rogue process that can take advantage of this. Now, while all operating systems are affected by this issue, it only really affects Intel and Arm-based processors. AMD doesn't seem to use the same methodology for their processor leaving them safe from a hardware based attack. There are, also, patches in the wild, and Microsoft has already implemented patches, out of band, mitigating the risk of infection, although your antivirus solution may cause some BSODs. Because of that you are required to have an up to date antivirus solution that will set a special registry key, before that patch is applied to your system.
Now on to Spectre, which affects virtually all processors that are Intel, AMD, and ARM-based, meaning basically all computers, laptops, tablets, mobile devices, etc. It can be leveraged using a software attack, which, also, includes Java Script. Now, if this vulnerability doesn't scare you, it should. While, Meltdown has patches being created, while they are band aid solutions, Spectre will be harder to patch. It can currently be leveraged and there is very little we can do for it, for now. Considering the vectors of attack of Spectre, the best risk mitigation tactics may involve a list of tools that some of you may have, and a change in behavior until patches are created to remove any of the risk of Spectre.
Now, the most important questions to answer are as follows.
Do you need to panic?
No. Update your computer, firmware, and all software when patches come out, and this is true of everything, regardless of platform.
Can an attacker take control of my computer using Meltdown or Spectre?
No, they can only acquire information from the kernel, at either the hardware or software level. This itself may be an issue though.
Are Meltdown and Spectre easy to exploit?
Meltdown is exceedingly easy to exploit; however, there are already patches being deployed and installed. It is easy to mitigate, but the operational overhead may be anywhere from 5 to 30 percent, which most users may not notice.
Spectre is harder to exploit, and even harder to patch, and it will haunt us for a while. However, like Meltdown, it is a data acquisition issue, not a remote code execution style vulnerability.
Is there any processor platform, operating system, or device that is unaffected by these issues?
Except for Raspberry Pi, there is currently no modern CPU options for the normal home user that is free of these issues. This is because it is not a bug, it is intentionally designed this way for operating systems to function, and nothing short of redesigning CPUs, and operating systems can fix this issue for good, and that wholly depends on the general public's interest in updating to their equipment, which will also come at an immense environmental cost, as well as driving up the prices for silicon, ram, etc.
Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net