2018 could not have had a worse start from a cyber-security perspective as, yesterday, a major security hole was found in Intel, AMD and ARM processors. The critical flaw discovered in the affected computers’ architecture and operating system has rocked the technology industry, and developers around the world have rushed to roll out fixes.
The vulnerability, leveraged by the Meltdown exploit on Intel systems, is particularly worrying as it can lead to exfiltration of sensitive data such as login credentials, email messages, photos and other documents. It enables attackers to use a malicious process run at user level on the affected workstation or server in order to read other processes’ memory, even that of high-privileged kernel processes.
The flaw can hit home users and virtually every company, as Spectre affects all kinds of computers: desktops, laptops, Android smartphones, on-premises servers, cloud servers, etc. The more critical information handled by a potential victim, the greater the risk to suffer the attack.
Microsoft and Linux have already released updates for their customers security. We’d like to inform our customers and partners that the tests carried out by Panda Security show that there are no compatibility conflicts between our endpoint security solutions and Microsoft’s security update.
At present, there is no evidence of public security attacks leveraging the flaw, but judging from past experience, it is not at all improbable that we may witness an avalanche of Trojans and spam campaigns attempting to exploit the vulnerability.
How to mitigate the vulnerability
Newer generation processors are not affected by the flaw, however, replacing all vulnerable systems is not a viable option at this time.
For that reason, the only possible countermeasure at this stage is to mitigate the vulnerability at operating system level. Microsoft and Linux are working on or have patches ready that prevent the exploitation of this hardware bug, with Linux being the first vendor to release a fix.
Microsoft, which initially planned to include a patch in the security update scheduled for Tuesday January 9, released a fix yesterday that is already available on the most popular operating systems and will be gradually deployed to all other systems. For more information, please visit this page.
It is worth mentioning that Microsoft’s security patch is only downloaded to target computers provided a specific registry entry is found on the system. This mechanism is designed to allow for a gradual update of systems coordinated with security software vendors. This way, computers will only be updated once it has been confirmed that there is no compatibility issue between the patch and the current security product.
Technical Support
For more information, please refer to the following technical support article . There you will find detailed information about the Microsoft patch validation process, how to manually trigger the patch download, and the way our products will be gradually updated to allow the automatic download of the new security patch just as with any other update.
We’d also like to encourage you to find detailed information about Microsoft’s security update and the potential impact it can have on desktop, laptop and server performance.
Finally, Microsoft, Mozilla and Google have warned of the possibility that the attackers may try to exploit these bugs via their Web browsers (Edge, Firefox and Chrome), and that temporary workarounds will be released over the next few days to prevent such possibility. We recommend that you enable automatic updates or take the appropriate measures to have your desktops, laptops and servers properly protected.
Cyber-Security recommendations
Additionally, Panda recommends that you implement the following best security practices:
- Keep your operating systems, security systems and all other applications always up to date to prevent security incidents.
- Do not open email messages or files coming from unknown sources. Raise awareness among users, employees and contractors about the importance of following this recommendation.
- Do not access insecure Web pages or pages whose content has not been verified. Raise awareness among home and corporate users about the importance of following this recommendation.
- Protect all your desktops, laptops and servers with a security solution that continually monitors the activity of every program and process run in your organization, only allowing trusted files to run and immediately responding to any anomalous or malicious behavior.
Panda Security recommends all companies to adopt Panda Adaptive Defense 360, the only solution capable of providing such high protection levels with its managed security services. Discover how Panda Adaptive Defense 360 and its services can protect you from these and any future attacks.
Customers using our Panda Security home use solutions also enjoy maximum protection as they feed off the malware intelligence leveraged by Panda Adaptive Defense 360, as shown in the latest independent comparative reviews. The protection capabilities of Panda Security’s technologies and protection model are demonstrated in the third-party tests conducted by such prestigious laboratories as AV-Comparatives.
How do these vulnerabilities affect Panda Security’s cloud services?
Cloud servers where multiple applications and sensitive data run simultaneously are a primary target for attacks designed to exploit these hardware security flaws.
In this respect, we’d like to inform our customers and channel partners that the cloud platforms that host Panda Security’s products and servers, Azure and Amazon, are managed platforms which were properly updated on January 3, and are therefore protected against any security attack that takes advantage of these vulnerabilities.
What effect do these vulnerabilities have on AMD and ARM processors?
Despite the Meltdown bug seems to be limited to Intel processors, Spectre also affects ARM processors on Android and iOS smartphones and tablets, as well as on other devices.
Google’s Project Zero team was the first one to inform about the Spectre flaw on June 1, 2017, and reported the Meltdown bug before July 28, 2017. The latest Google security patch, released in December 2017, included mitigations to ‘limit the attack on all known variants on ARM processors.’
Also, the company noted that exploitation was difficult and limited on the majority of Android devices, and that the newest models, such as Samsung Galaxy S8 and Note 8, were already protected. All other vendors must start rolling out their own security updates in the coming weeks.
The risk is also small on unpatched Android smartphones since, even though a hacker could potentially steal personal information from a trusted application on the phone, they would have to access the targeted device while it is unlocked as Spectre cannot unlock it remotely.
Apple’s ARM architecture chips are also affected, which means that the following iPhone models are potentially vulnerable: iPhone 4, iPhone 4S, iPhone 5 and iPhone 5C. Apple has not released any statements regarding this issue, so it is possible that they managed to fix the flaw in a previous iOS version or when designing the chip.
As for the consequences and countermeasures for AMD processors, these are not clear yet, as the company has explained that its processors are not affected by the Spectre flaw.
We’ll keep you updated as new details emerge.
9 comments
yes
There is more errors in this article then in My Spelling first you say ” major security Hole found in Intel, AMD and arm processers and then in the very Last Line you consid well AMD isn’t affectet any way, AMD never could get affectet by this sins there cpus are construcktet very diffrent. Then you say newer gen cpus aren’t affectet this is again wrong even Intels Newest cpus has this design flaw, IT takes years to develop a cpu and you can’t Just chance the intire Intel CPU infrastruktur in a few months. And lastly i see No mention of the fact that even Intel has admitted that this fix may slowdown processers some af much as 30%. My spelling is atrosies especialy on this old tablet that keeps trying to translate every Word i type into My native tung, so considering the Last article you had Just before this one about we should All get Better at checking the articles we read to avoid fake news, maybe you should have spent 2 more minuts fact checking this One and i promish to spent 2 More minuts spellchecking next time and disabeling this damn suggestet Spelling Feature
“Thank you for your comments. There are 3 variants of the flaw. Please find below some general information about how each of them impacts processors:
– Variant 1 (Spectre): Bounds check by pass (CVE-2017-5753). This is software patchable and affects almost all modern processors.
– Variant 2 (Spectre): Branch target injection (CVE-2017-5715). Variant 3 (Meltdown): Rogue data cache load (CVE-2017-5754). These two are not patchable and affect Intel and potentially ARM.
For detailed information about how AMD, ARM and Intel chips are affected by this security hole, please refer to the following official pages:
1. Please check this official page where AMD details the impact of the 3 variants of the exploit, and how to resolve them: https://www.amd.com/en/corporate/speculative-execution
2. Please check this official page where ARM details how its processors are affected by the 3 variants of the flaw: https://developer.arm.com/support/security-update
3. Intel-based platforms impacted by this issue are listed on the following Intel official page https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
4. At the time of writing the article there weren’t any tests regarding the impact of installing the patch on system performance. As of January 5t, TechSpot and Guru3D performed some benchmarks for Windows. Both sites concluded that desktop users don’t have much to worry about. Some PC games see a small 2% slowdown with the patch, which is within the margin of error, while others appear to perform identically. 3D rendering, productivity software, file compression tools, and encryption utilities appear unaffected. However, file read and write benchmarks do show noticeable differences. The speed of quickly reading a large amount of small files dropped about 23% in Techspot’s benchmarks, and Guru3D found something similar.
I think it is way past time security solutions, like anti-malware, evolve.
Since Intel AMT was introduced into all comsummer systems, not only corporate, we are exposed to huge security risks. I understand these new design holes as “optimization abuse”, and the solution would be security software to tap into BIOS and even microcode, Operating System kernel, USB, everything including hardware dongles. It is sad, but hardware makers made it.
With GDPR taking effect from May it feels like this could be the first of many cyber security threats in 2018, as hackers rise to the challenge. It’s even more worrying given that over 50% of global Microsoft machines no longer receive any OS support to protect against new security risks.