Internet Security BLOG

Meltdown: A Security Flaw like No Other

medltdown-spectre-300x214 Internet Security BLOG

With the potential to affect almost every computer with a microprocessor inside it, the Meltdown security vulnerability is creating some serious seismic activity in the computer industry.

Perfectly named, Meltdown promises to send operating systems (including Windows, Android, macOS, iOS and Linux) into a catastrophic state of not only vulnerability, but also reduced performance. It’s the type of security flaw that experts would be grateful if it was only limited to a handful of products, but Meltdown has the potential to affect any computer manufactured with either an Intel x86 or certain ARM microprocessors.  And it’s a flaw which has been present in Intel chips for over 20 years now.

It’s a vulnerability that the digital age really didn’t need and it’s left security experts questioning the reach that this security flaw could have. And, for microprocessor manufacturers, it’s put them under intense pressure to reassure consumers and issue patches. Therefore, it’s time to prepare yourself for Meltdown.

What is Meltdown?

To understand the modus operandi of the Meltdown exploit, we need to start by looking at the operating system kernel. Now, the kernel acts as a bridge that allows hardware and software to communicate with each other. Without this mediation, computer systems would be unable to effectively allocate CPU and memory power to multiple applications. Acting as the heart of any operating system, the kernel is a sensitive and crucial component.

In order to maximize performance, computer systems perform speculative execution; this is a method by which processors perform a task before it’s known whether or not it’s required. The aim of speculative execution is to prevent delays incurred when it’s known for sure that processor power is required. And it’s always been fine, until several different research teamsdiscovered a massive flaw in the hardware behind speculative execution.

Standard practice is for only privileged applications to be allowed access to the kernel.  However, through the use of a side channel attack, attackers are able to observe the kernel and all its activity. This access is completely invisible to the victim, but exposes sensitive information such as logins, passwords and any scrap of data housed on that computer. As Meltdown is purely a read-only vulnerability, there’s no risk of computers being trashed by attackers, but the security concerns are monumental.

Naturally, the data handled by the kernel has always been rigorously secured, but, as Daniel Gruss from the Graz University of Technology discovered, not rigorously enough.  You see, just before speculative execution produces its results, it stores them in cache of memory allocated to the system’s processor. And, by firing snippets of code at the processor, a hacker can easily work out if the data is being stored in the cache by the time taken for the processor to respond. This grants the hacker to access restricted data quite freely.

Speculation by security experts suggests that every single Intel processor built since 1995 is at risk and, as you can imagine, this takes in a huge number of different processors. ARM, meanwhile, have confirmed that their Cortex-A processors are at risk of being exposed to Meltdown.

Protection from Meltdown

As with all security vulnerabilities, the key to protection is to update everything as soon as possible. Microprocessor manufacturers, keen to protect their assets and reputation, have been working round the clock to deliver patches to help solve the Meltdown conundrum and ensure that affected systems remain protected. The first patch was released by Microsoft on January 3rdto aid Windows in protecting itself from Meltdown with IntelApple and ARM soon following suit.

Revised firmware updates, for Intel at least, will then be issued by product manufacturers (such as Dell and HP) for the foreseeable future. In the meantime, Intel aim, by the end of January, to have released firmware updates for all of their processors released in the last five years. With all the affected CPU manufacturers attempting to remedy Meltdown, you could be forgiven for thinking that this intriguing chapter of IT security was coming to an end. However, the patches and firmware upgrades are coming in for major criticism.

The Meltdown Slowdown

Whilst the actions taken by Intel et al to patch their vulnerable hardware are admirable and effective, they’re also creating a new set of problems for computer users. The most immediate and measurable side effect of the patches is the decrease in performance. Due to the changes in memory handling required to circumvent Meltdown, processors are now having to work harder and this is putting a drain on resources.

For the average consumer, the effect upon performance shouldn’t be noticeable, but that’s only if they’re working with a relatively new computer system that contains, for example, Skylake or Kaby Lake microprocessors. If, however, a consumer is running a version of Windows 10 with an older processor then there’s a good chance they will notice a decrease in performance. And if a consumer has persevered with Windows 7 or 8, the slowdown will be significantly more noticeable.

It’s when you analyze the impact of the patches on servers, though, that the performance issue really rears its ugly head. Microsoft, for example, have announced that Windows Server will suffer “a more significant performance impact” when running with the associated patches to protect from Meltdown. It would appear, therefore, that Microsoft is actually advising their customers to risk a major security exploit in order to maintain the performance of their servers. And this seriously underlines just how far away from an efficient patch Microsoft are.

Security researcher Thomas Roth, meanwhile, has been testing a number of different chips and discovered that an updated Intel i7-6700 microprocessor running Ubuntu 16.04 is producing communication between applications and the kernel that is now up to four times slower. Roth believes that performance will be hit hardest in sectors such as large websites, search engines and cloud providers. And, just to prove his point, the increased processor usage brought on by patched processors has been blamed for slowing down the cloud based service that powers online game Fortnite.

Final Thoughts

Meltdown has, thankfully, been prevented due to the number of patches and firmware upgrades released in the wake of its public revelation. However, it’s a damning indictment of the hardware industry that this security vulnerability has lain dormant for over 20 years. Whilst the security researchers who discovered this flaw are no doubt talented, there are more than enough hackers out there who are equally as talented. And this is highly disturbing for our online futures.

There’s also the small matter of performance drop in those microprocessors which have been patched. Whilst a slight lag in performance is much better than sensitive data being compromised, the impact of this lag has already been demonstrated. And, for businesses and large organizations, the possibility of their activities being severely disrupted is very troubling.

As with all major security risks, the main takeaway appears to be that patching is essential when it comes to protecting your systems and your data. Without these immediate fixes, you’re more vulnerable than ever before. And with vulnerabilities being shipped with the majority of computers manufactured in the last 20 years, you need all the help you can get.


Antivirus for Mac

Antivirus Software for Mac – Need or Not?

ytKr6L3ZTP4Pf2acEpzpMM-320-80-300x169 Antivirus for Mac

The longstanding No. 1 reason many computer experts give for placing Apple computers over PCs is that they are immune to computer viruses. However, although Macs are much better at preventing malware attacks by themselves, it’s certainly not true. Even as early as 2002, Apple posted the following warning to its OS users:

“Although virus infections are rare, they do exist and can cause problems with (and sometimes damage) your files or application programs.”

Let’s not forget that the first-ever virus that was distributed “in the wild” (meaning it was not done in an academic setting or through an intranet) was targeted specifically at Apple II computers. Granted, the Elk Cloner virus spread only via floppy disks to the originators friends’ computers and not via the Internet, but it was still a big deal to the industry, especially in the early 1980s. It may even be the reason why Apple took the threat of viruses seriously when it created its operating system for its current incarnation of Mac computers, especially after the Internet grew in popularity.

In this day and age of cybercrime being at an all-time high, it’s important to be aware of why relying solely on Apple’s strong operating system software is not such a good idea.


Results of Pwn2Own

Operating system software producers know the best way to see how well their products can stand up to hackers is to try to have their programs hacked. The Pwn2Own competition has taken place annually since 2007 at the CanSecWest security conference. Contestants are given the challenge of hacking into a set combination of software (Web browser and operating system) and platform (Mac and PC), with the winner receiving prizes.

This controlled event helps the industry when the event’s sponsor, Tipping Point, reports the data of the hack to the appropriate vendors, and the information isn’t released to the public until patches have been created.

Mac users may be interested to know that in the 2011 version of the competition, Snow Leopard (the Mac OS version 10.6) was hacked via Safari five seconds into the competition by French security firm VUPEN.


Mac-specific viruses

In the past few years, there have been several Mac-specific viruses that have been spotted in the wild. This is definitely out of the ordinary, but should have Mac users attention.

In June 2008, viral strains of AppleScript.THT, a Trojan horse reported by SecureMac, were attacking Macs running the OS X 10.4 and 10.5 versions. Attacking a vulnerability in the Apple Remote Desktop Agent, AppleScript.THT could enable file sharing, take pictures with the Apple iSight Camera, log keystrokes, and take screen shots. It avoided detection by turning off system logging and opening ports in the firewall.

Another attack on Macs in 2007 targeted a much smaller audience, but it still be noted as a successful attack on Macs in the wild. The Trojan horse implored Mac users visiting porn sites, inviting them to download a codec that would allow the user to view any porn video they find online. Instead, the download would install malware that would redirect the user to phishing sites and adware.

In April 2012, first detected by a computer security firm F-Secure, a modified version of the “BackDoor.Flashback.39” variant of the Flashback Trojan has infected over 600,000 Mac computers. This was announced by Dr. Web, and confirmed by Kaspersky. This Trojan targets a Java vulnerability on Mac OS X. As of January 9, 2014, about 22,000 Macs are still infected with the Flashback trojan (info link).

ytKr6L3ZTP4Pf2acEpzpMM-320-80-300x169 Antivirus for Mac

“Platform-agnostic” attacks

There has been an obvious paradigm shift in malware attacks, and the numbers prove this point. Cybercriminals are leaving virus-type attacks by the wayside in favor of application-based attacks. The reason is simple: Virus attacks must be written for a specific platform or operating systems. Attacks that can be launched through an application can cross platforms.

The numbers bare this out: In 2008, Microsoft reported only 6 percent of vulnerability attacks targeted operating system software, while 90 percent of vulnerability attacks targeted applications.

These “platform-agnostic” attacks are dangerous, especially since these types of are brought into the computer by a user willingly instead of a cybercriminal seeking to drop malware physically onto a target computer. These usually fall under the Trojan horse banner, with users think they’re downloading a beneficial program, and instead downloading various forms of malware.


Safety in (less) numbers?

One of the reasons cybercriminals historically avoided Macs is because of the small market share relative to Windows. Basically, the effort needed to put in to attack a Mac with a virus doesn’t produce enough profit to be viable. For example, looking back to the VUPEN team, although their program only took 5 second to successfully attack its target, it took the team two weeks to find the exploit in Safari, and then had even more trouble finding a “reliable” program that would break through to the OS.

However, because of platform-agnostic attacks, this is less of an issue.


Macs as carriers

Mac users may also be carriers of viruses. Just as with medical viruses, Mac computers could actually harbor a virus but not become infected. However, it may distribute the virus on to PCs that may become infected.


Apple recommends antivirus software

Apple has recommended that its users back up their computers’ already strong protections with antivirus software (read more in Apple Recommends Antivirus for Mac). Programs such as Norton Security work with Mac and can help block traditional virus attacks and help clean any malware that may have gotten through by non-traditional means.

ytKr6L3ZTP4Pf2acEpzpMM-320-80-300x169 Antivirus for Mac