What are Meltdown and Spectre, and How Do They Impact WSIPC?

Jan 17, 18

Meltdown and Spectre

Last year, Google Project Zero, Cyberus Technology, Graz University of Technology, and others, discovered serious security vulnerabilities caused by “speculative execution,” a technique used by most modern processors (CPUs) to improve performance. These vulnerabilities, known as Meltdown and Spectre, were revealed privately to chip companies, operating system developers, and cloud computing providers, who have been working together to develop solutions. The vulnerabilities were reported in the press last week, and although no attacks against these vulnerabilities have been reported, they potentially allow attackers to access sensitive information on everything from smartphones to data center hardware.

What Are Meltdown and Spectre?

Spectre and Meltdown (also known as variants one, two, and three) take advantage of the ability to extract information from instructions that have executed on a CPU, using the CPU cache as a side-channel. For technical details about Meltdown and Spectre, see the US Computer Emergency Readiness Team’s (US-CERT) Vulnerability Note VU#584653, the United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre, Google’s Project Zero blog, and Graz University of Technology's Meltdown site.

What Software Is Affected?

All major computer chip architectures, including AMD, ARM, and Intel processors, are vulnerable to Meltdown and Spectre.

How Can I Protect My Data?

US-CERT advises that users and administrators refer to their operating system vendors for security updates, and that they install updates as they are released. You can find a comprehensive list of updates on US-CERT’s Alert (TA18-004A) site.

Intel deployed software and firmware updates last week, for over 90 percent of the processor products released within the last five years. Machines with older processors will be issued fixes in the future. More detailed information is available on Intel’s Security Site.

Due to differences in AMD architecture, there is close to zero risk for AMD processors for variants two and three of the speculative execution vulnerabilities. For variant one, vulnerabilities can be resolved by software and operating system updates available from system vendors and manufacturers. More detailed information is available on AMD’s Security Center Page.

Most ARM processors are not impacted by the speculative execution vulnerabilities. You can find a list of processors that are vulnerable on ARM’s Security Site.

WSIPC’s Response

Jeff Simons, WSIPC’s CIO, stated that “WSIPC is aware of the recently disclosed speculative execution vulnerabilities of modern computer processors. All but a small number of WSIPC’s private cloud servers use AMD processors, which have near zero risk for the non-software vulnerabilities. Azure and AWS have updated their infrastructures. WSIPC is working with our vendors to identify and deploy the required updates to ensure the security of the Cooperative environment. There may be additional service and maintenance outages as updates are implemented.”