Keep calm and don’t have a meltdown, Spectre is back and this time 007 can’t help us
Computer researchers at Google’s Project Zero have recently found out that the main chip in most modern computers—the CPU—has hardware bugs. These bugs have been named “Meltdown” and “Spectre”. It’s really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer in use today.
These hardware bugs allow malicious programs to steal data that is being processed in computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. These hardware bugs break that isolation.
So, if the bad guys are able to get the malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.
Impact to Healthcare Organizations
For our Healthcare clients and those in Healthcare IT or Healthcare IT Security, the Healthcare Cybersecurity and Communications Integration Center (HCCIC) issued their own alert on Jan 5. This is the summary info from the alert:
“A widespread vulnerability in most computer processors sold over the previous decade has been identified that could pose a threat to the protection of Healthcare and Public Health (HPH) sector sensitive data, Protected Health Information (PHI), and Personally Identifiable Information (PII). The significance of this vulnerability for the Healthcare and Public Health Sector is considered medium due to the fact that local access to the computing device is generally required, and vendors are quickly releasing appropriate software patches to mitigate the hardware vulnerability. The patches do have potential to slow down processor performance in limited cases, and organizations should exercise caution and test patches carefully before implementing on high-value assets including systems which handle PHI, PII, or are directly involved in patient treatment or imaging.”
Here is the link to the full HCCIC alert.
The Healthcare Information and Management Systems Society (HiMSS) released a post with Lee Kim’s analysis of the vulnerabilities along with mitigation strategies. The original post was released on Jan 4, and updated on Jan 5. Here is the link to the full article: Spectre and Meltdown Processor Vulnerabilities: What You Need to Know #HITsecurity
So, what is Kraft Technology Group doing about this?
We need to update and patch all machines on the networks of our managed clients. This is going to take some time, some of the patches are not even available yet. We may potentially have to replace some mission-critical computers to fix this, time will tell.
KTG’s managed firewall and managed endpoint protection solutions have been updated to protect against Meltdown and Spectre and have no compatibility issues with the patches being released by Microsoft and other vendors.
In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click. If you are a current client and have any questions or concerns, please do not hesitate to reach out to our Service Desk. If you are not a client and would like to know more about what we can do to help protect your business, please reach out to us at firstname.lastname@example.org or by calling 615-782-4254.
More technical info:
The big cloud service providers including Amazon, Google and Microsoft are pushing updates to their cloud services and other products in response to the Intel Meltdown and Spectre microprocessor bugs, according to CNBC. The cloud services and product updates come after Intel officially commented on Meltdown and Spectre on Wednesday. While the bugs can theoretically affect all processors, there currently is no known exploit for AMD and other processors. Intel is taking the heat and AMD may be the big financial winner after this all shakes out.
Some antivirus software has issues with the patches being deployed by Microsoft and others to try and block the exploitation, but the antivirus software we use for our managed clients was ahead of the game and will not cause any issues. You can read more about ESET here.
If you use Google Chrome and/or Mozilla Firefox, you can better protect yourself against Spectre by enabling site isolation in Chrome and First Party Isolation in Firefox (there is conflicting information if First Party Isolation actually mitigates Spectre).
On January 4, US-Cert released Alert TA18-004A providing guidance, and it has already been updated at least once. This alert includes vulnerability and patching information from over 20 technology vendors. Full alert here: Meltdown and Spectre Side-Channel Vulnerability Guidance.
For ease of reference, here’s that list of those vendors and links to their associated advisories:
- Google Android
- Citrix Systems
- F5 Networks
- Google Cloud Services
- IBM X-Force and Cloud
- Microsoft Azure
- Microsoft Windows
- Red Hat
- Trend Micro
Since VMware is such a popular platform, please see the link above that points to VMSA-2018-002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution. The problem description from VMWare’s patch below:
“Bounds-Check bypass and Branch Target Injection issues
CPU data cache timing can be abused to efficiently leak information out of mis-speculated CPU execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. (Speculative execution is an automatic and inherent CPU performance optimization used in all modern processors.) ESXi, Workstation and Fusion are vulnerable to Bounds Check Bypass and Branch Target Injection issues resulting from this vulnerability.
Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host. The remediation listed in the table below is for the known variants of the Bounds Check Bypass and Branch Target Injection issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-5753 (Bounds Check bypass) and CVE-2017-5715 (Branch Target Injection) to these issues.”
Here is a good site with additional technical information about Meltdown and Spectre, an FAQ, whitepapers, and videos about this SNAFU, that you can refer people to if they want to know more.
As of January 22, Intel is recommending not installing BIOS updates at this time due to the adverse affects. Here is quote from their update:
We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
Intel’s full update here: https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/
Originally posted January 5 2018.
Updated January 6 2018 with new information.
Updated January 7 2018 with new information.
Updated January 24 2018 with new information.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.