[img src=”/wp-content/uploads/sites/1097/2018/01/Blogimg-Spectre-and-Meltdown.jpg” class=”aligncenter”]

Find out if you are Affected

Spectre and Meltdown are two vulnerabilities identified by researchers taking advantage of a design flaw found within the Central Processing Unit (CPU) of modern computers. The CPU is basically the “brains” of the computer and is responsible for executing and running programs on the system. Since 1995, CPU computer chips were built with the ability to perform speculative execution. This means the chips can guess what will happen next when completing routine processes. Having this capability allows the CPU to process tasks more quickly. However, if the chip guesses what would happen next incorrectly, the information used to complete the current running process would be discarded to an unsecure area of the computer’s cache memory. It is here where malicious actors can take advantage of this process and steal the discarded data which can contain sensitive information such as passwords and credentials.

Any modern computer and many other devices are susceptible to this vulnerability. Both could impact computers, laptops, tablets, smartphones, and Internet of Things (IoT) devices depending on the type of CPU chip they use. Spectre can be used to target Intel chips whereas Meltdown can be used to target Intel, AMD, and some ARM chips. As this vulnerability impacts a system’s hardware, utilizing shared processors and services. Cloud services and virtual machines do not protect against this vulnerability as it impacts chip level functionality.

To gain access to the CPU and exploit the vulnerability, malicious actors can use a variety of methods:

• Cyber criminals can send malicious attachments or links to victims via phishing emails. Once opened or clicked on, a malicious application is downloaded onto the victim’s computer which may give the actor access to the system.
• Popular web browsers (such as Chrome, Internet Explorer, Firefox, and Safari) can all fall victim to malicious Javascript code posted on a compromised or malicious web site. This code would be automatically run by the browser which assumes the rogue code is an ordinary part of the site’s features.
• Another potential access point is the system’s Graphics Processing Unit (GPU). The GPU chip renders images, video, and animations so they are visible on the computer’s screen. While the GPU itself isn’t vulnerable to Spectre or Meltdown, it can be used to pivot into the CPU.

Researchers discovered Spectre and Meltdown many months before they made their findings publicly available. Since then, information related to this vulnerability has become clearer and the potential impacts are better understood. This vulnerability affects both individuals and organizations. Anyone or any organization who has purchased a computer since 1995 is potentially vulnerable. Using one operating system or browser over another does not necessarily mean a computer is less vulnerable than another.

It is important to note that Spectre and Meltdown can’t be used to exploit a system unless the malicious actor is already present on the system in question. Additionally, this vulnerability is difficult to exploit and one which cannot be easily executed. The MC3 is unaware of any known incidents related to Spectre or Meltdown being exploited outside of a lab environment. While these vulnerabilities have not yet been identified in the wild, it is unknown if malicious actors or cyber criminals plan to exploit these vulnerabilities in the future.

To make it more difficult for an attacker to exploit this vulnerability, the following actions are highly suggested.

• Update and patch the computer’s operating system, software, and web browser(s)
  • If this is not possible, take additional steps to harden the system
• Update and patch firewall and antivirus
• Think before you click – Stay vigilant to potential social engineering attacks and do not click on links or attachments found in unsolicited email.

NOTE: These actions cannot prevent an attacker from exploiting this vulnerability once they are on the system. However, these steps can make it harder for an attacker to gain access to the system to begin with. Additionally, free online tools are available which claim to have the ability to see if a system is vulnerable to Spectre and Meltdown. The MC3 cannot verify the accuracy or security of these tools. As such, the MC3 recommends acquiring tools from a trusted source and suggests caution if used. One such tool can be found at: https://www.grc.com/inspectre.htm.

These steps should be taken by both individuals with personal devices (computers, tablets, IoT devices, and smartphones) and personnel responsible for securing an organization’s information technology infrastructure. In following with good cyber hygiene practices, it is suggested organizations apply patches in a test environment before pushing them out agency wide to ensure the patches do not have a negative impact to the network. Depending on the set up of the network, patches may cause service interruptions or decreased performance.

MC3 personnel will continue to monitor the situation and will notify as necessary. Any additional questions or concerns can be sent to MC3@michigan.gov.