Should you be scared of Meltdown and Spectre CPU security flaws?

Secure the gold

In today’s world, data is gold and security is paramount. Recently identified CPU security flaws, however, have put corporations on high alert. Unfortunately, the CPU hardware happens to deep embed the chink in the armor. The opportunity for cyber crimes created by these vulnerabilities – known as Meltdown and Spectre – have the potential to wreak havoc on companies operating large data processing environments.

What exactly are Meltdown and Spectre?

We discovered two new vulnerabilities called Meltdown and Spectre that exploit techniques, speculative execution and page table management, implemented in modern processors that could allow malicious programs to access information from the memory of other programs executing on the processor.

Typically, programs cannot read data between programs.

Malicious infiltrations that use the vulnerabilities of Meltdown and Spectre can gain access to the memory of other open programs. These CPU security flaws affect almost every computer that has been developed since the mid-1990s. Meltdown creates a weakness between user applications and the operating system enabling a program to access the memory of other programs. Spectre infiltrates applications allowing a perpetrator to gain access to open applications. Passwords, encryption keys and other confidential information, become entry points for those looking to perpetuate crimes.

What does this mean to me?

Considering the vast number of devices out there that currently possess vulnerable CPU’s, it would be difficult to say exactly what the real-world impact might be. Personal computers, mobile devices and cloud environments are all susceptible. The good news is, ongoing research, and the development of software patches to guard against aggressive action, are underway. Companies including Microsoft, and Apple are among those stepping in to address susceptibilities and deliver solutions to impede potential impacts generated by these security vulnerabilities.

How can I protect against CPU security flaws?

We’re glad you asked…updates recommended by your device are undoubtedly your first line of defense. In addition, below are some options to consider, depending on your device:

1. Android phones

On January 5, Google released a security update that protects Android phones against Meltdown and Spectre. If you are the lucky owner of one of Google’s latest devices, the update will automatically be downloaded. Older Android phones, however, require a manual download. It would be a good idea to follow your phone manufacturer on Twitter in order to get the latest update information or go out to their website for guidance on updating your phone.

2. iPhone

Apple has announced that all iPhones are affected by Meltdown and Spectre. Apple’s latest release: iOS 11.2.5 can mitigate the risks. To get the update, go to <Settings > General > Software Update> and download the latest update.

3. Windows PCs

Regardless of whether they contain Intel or AMD processors, Windows PCs are at risk for CPU security flaws. Microsoft has been swift to release a security update for Windows 10, as well as previous versions of Windows. Microsoft programmed Windows 10 to download the update automatically. If you are concerned, however, and want to ensure your PC is up-to-date you can type “windows update” in the search bar and select “Check for updates.”

4. Mac

Apple has released a series of fixes in macOS 10.13.3. To access the fixes, open the Mac App Store, click on <Updates> and install the latest version of the operating system.

5. Alcatel-Lucent Enterprise

ALE OmniSwitch and OmniAccess Stellar WLAN products are based on several different CPU architectures, in which vulnerabilities affect some of them. However, these products do not allow execution of arbitrary code. To exploit this vulnerability, an attacker would require that ability and super-user access to the device. An attacker that has already gained privileged level access to the device would be able to compromise the device without the need for further exploits. Hence, contact your vendor to determine what updates are available. Users of ALE products are reminded to ensure that access to these products are secured and restricted to authorized personnel.

Also, a joint development product between ALE and LGS Innovations, known as the Alcatel-Lucent CodeGuardian™ protects networks from intrinsic vulnerabilities, code exploits, malware, and potential back door threats that could compromise mission-critical operations. CodeGuardian technology improves network integrity. In addition, provides added security against cyberattacks by preventing the execution of arbitrary code on the networking devices.

It is noteworthy to add that the ALE security strategy has received the highest levels of certification from government agencies, including Common Criteria (EAL2 and NDcPP), JITC, FIPS 140-2 and NIST.

And, while ALE networking devices are protected, keep in mind that the computer on which Alcatel-Lucent OmniVista® 2500 software is hosted, could be vulnerable to these security flaws. The network administrator should ensure that the server platform and OS are up-to-date including the latest patches, to avoid infiltration.

Full details of the “Meltdown” and “Spectre” vulnerabilities can be found at the following URLs: – https://meltdownattack.com/ – https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html