"Meltdown" and "Spectre": What Nonprofits Need to Know
You may have seen news reports or Internet articles about the recent “Meltdown” and “Spectre” vulnerabilities that were first reported on Wednesday, January 3rd. The whole tech world is worked up about it and it is all over the Internet. Let’s take a moment and understand how this impacts the nonprofit community and you.
What’s Going On?
Several months ago a major security vulnerability was discovered by Google and Academic researchers. This vulnerability is actually at the CPU level (the piece of hardware in your computer that actually does the “thinking”). Since every computing device has a CPU, this vulnerability impacts just about every computer (Mac, Windows, Linux, etc) and many mobile devices in use today.
No one has reported seeing any actual attacks using these vulnerabilities. However, the security world is by nature a cautious one. The public announcement of the vulnerability was delayed for months while cloud software, operating system, and hardware vendors worked to develop fixes. Even before Wednesday’s announcement, most major vendors had done so – Google Apps, Microsoft Office 365, Microsoft Azure, and Salesforce have all taken steps to mitigate the vulnerability. Software patches for Mac OS, Windows, and Android were released weeks or months ago.
Unfortunately the issue occurs at such a deep level of the computer that it’s difficult to fully protect against. Even fully patched systems may be vulnerable to attack by a dedicated and skilled attacker. That said, nonprofits using fully updated software and using cloud servers are unlikely to be impacted. However, it is critically important that you update your systems. Unpatched systems could have a password stolen just by visiting a website. You’ll see details on protecting yourself later in this post, but in summary:
- Windows 10, 7, and 8 and Server 2008, 2012, and 2016 updates are available as of January 3rd
- Mac OS updates were released in early December (iOS 11.2, macOS 10.13.2)
- Android users with the January 5th security update are protected (most phones must wait for their carrier to release the patch)
- Firefox has released an update to mitigate against Spectre attacks
- Chrome will release an update to mitigate against Spectre attacks on January 23rd
What’s the Vulnerability?
Part of the confusion is that there are actually two vulnerabilities. One called “Meltdown” and the other called “Spectre”. If you are a true nerd you can read the original academic articles (Meltdown here, Spectre here) but I already did that to save you the headache. Both attacks rely on a technique used by CPUs to run really, really, fast. To do this, modern CPUs use something called speculative execution. They guess at what commands might be needed in the future and preload small bits of information to make future execution faster. The vulnerability allows this data to be loaded without properly checking to see if the code has permission. It can then be read exposing passwords, encryption keys, or other sensitive information. If this makes no sense to you, you’re not alone. This stuff happens at such a deep level that only CPU designers really understand it. This is probably why the flaw went unnoticed for so long.
The result is that a piece of software running on a computer can potentially read any piece of memory on the entire computer. This means that a website you access with your computer could read the excel spreadsheet you currently have open. Or it means that software running on a virtual machine in the cloud could read parts of a database running in a different customer’s virtual machine on the same physical server.
It's a big deal, but there are limitations. These differ depending on which variant you’re talking about.
Meltdown is the variant that is getting the most attention. It is very easy to exploit (check out this video of the exploit in action) and effects every Intel processor created since 1995. That’s quite a lot of devices! Luckily, there is a software patch available for Windows, Mac OS X, and Linux to eliminate the issue. Your cloud providers should already have done that, but you should update your computers and servers to make sure you’re protected. AMD chips and most chips used in cell phones do not appear to be vulnerable to this attack so far.
Unfortunately, the fix is likely to slightly impact performance of computers. Reports vary between 5% and 30% performance reductions depending on the age of the CPU and the specific workload. Newer Intel chips (released in the last 5 years) appear to have less of a performance hit. Most nonprofits should not have too much of an impact when they apply the software update.
Spectre is harder to exploit but also harder to protect against, and it impacts just about every CPU out there (Intel, AMD, etc). Spectre relies on a technique called Branch Prediction where CPUs try to guess at which part of computer code is going to come up next. To exploit it an attacker needs to “train” the CPU for a while (10 to 30 minutes) and then can read information only very slowly. It also does not work on all systems. This makes it far more difficult to exploit than the Meltdown vulnerability. However, because it is an architectural decision shared by most CPUs (and not a poor implementation in the case of the Intel Meltdown vulnerability) it is much harder to protect against.
What’s Not Known?
This is a very technically complex vulnerability and there is much that is still not known. We may soon find out that additional processors are vulnerable or discover novel ways of exploiting the vulnerabilities that increase nonprofits’ risk. It’s also likely that we’ll soon see attacks in the while exploiting these techniques. It’s also not yet clear if it’s possible for Intel or AMD to release “microcode” patches for their CPUs which partially or fully mitigate these attacks. Expect to see more.
What Should I Do?
The Meltdown vulnerability is the most critical one for now.
- Windows 10 KB4056892, Windows 8.1 KB4056898, and Windows 7 KB4056897 updates fixe the Meltdown vulnerability but will only install if you are using AV software that has been updated. Otherwise you won’t see the update in Windows Update and can’t install it manually. Windows Defender is supported. You can read more about the AV requirements here.
- Windows Server 2008 (R2 only), 2012 (R2 only), and 2016 have updates available as well but require some manual steps for installation. You can see this article for details.
- Mac OS X users should install Mac OS 10.13.2. It is not clear if patches for older versions of Mac OS X will be offered.
- iOS users should install iOS 11.2
- Android users should install the January 5th security update. However, this update is only available immediately on Nexus devices, other owners will need to wait until their carrier releases the update.
Spectre is more difficult to protect against, but the recommended action for now is to update browsers
- Internet Explorer and Edge can be updated through Windows Update
- Firefox users should update to the latest version
- Chrome users won’t get a full update for a few weeks, but you can enable Site Isolation today to significantly reduce your vulnerability
This is a big deal, and it’s not the last we’ve heard about it. However, the real implications for nonprofits are likely not too egregious. Protecting yourself means doing what you should be doing anyway – moving your data to cloud services that have fast responses to incidents like these and keeping your own machines up to date.
Tech Impact’s Managed IT Support clients should know that our Service Team is applying all necessary patches and updates as they become available from hardware and software vendors. No action is needed by individual clients or staff members.
Want to dive deeper into IT Security best practices for nonprofits? Check out Tech Impact's IT Security for Nonprofits webinar recording.
Stay tuned to our blog. We’ll keep you updated as we learn more.