Meltdown & Spectre

Three seperate vulnerabilites have been discovered within the software and design of several CPU release all the way back starting from 1995. Major vendors like Intel, AMD and ARM are affected by this vulernability. Microsoft relased Emergency update last night, KB4056892
Severity: Critical
Dispersion:
Operating System: All runing Intel, AMD or ARM CPU
Category: Vulnerabilities
Sources: Project Zero, Others

Update:

There is reports of increase in malwares using the explois in Spectre/Meltdown. An even bigger reason for speeding up patching if you still are hesitant:

http://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges

 

There has now surfaced a tool that you can use to check whether your hardware and software are capable in preventing Meltdown and Spectre attacks:

https://www.grc.com/inspectre.htm

 

From Alert
Three seperate vulnerabilites have been discovered within the software and design of several CPU release all the way back starting from 1995. Major vendors like Intel, AMD and ARM are affected by this vulernability. Microsoft relased Emergency update last night, KB4056892

 

Description

Project Zero have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.
Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, Project Zero have exploits that work against real software. Project Zero reported this issue to Intel, AMD and ARM on 2017-06-01

 

Patch Status:

Android: the Nexus 5XNexus 6PPixelPixel XLPixel 2, and Pixel 2 XL have been patched and you should see an update soon if you haven’t already received it
Microsoft:  KB4056892
Apple: Apple has released three new security updates aimed at protecting Safari and WebKit from the Spectre attack. The three updates make changes to iOSmacOS, and Safari itself
Chromebook:  Update to Chrome OS 63
Chrome Webbrowser:  Will release new version on Jan 24 to mitigate threat

 

Linux

Redhat:  RHEL 7 Patch available. See reference for full list
Debian:  Patches are out, run update and reeboot.
Centos:  Patches are out, run update and reeboot.
Ubuntu:  Patches are out, run update and reeboot.

 

 

Name of Vulnerabilities

CVE-2017-5753, CVE-2017-5715, CVE-2017-5754

 

Recommended actions

Cyberon Security recommends the following:

  • Deploy the update from Microsoft and other vendors as soon as possible

 

More information and reference:

https://meltdownattack.com/

https://support.microsoft.com/en-ca/help/4056892/windows-10-update-kb4056892

https://googleprojectzero.blogspot.no/

https://access.redhat.com/security/vulnerabilities/speculativeexecution

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: