malware

Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

Speed hits loom, other OSes need fixes

Details have emerged on two major processor security flaws this week, and the industry is scrambling to issue fixes and secure machines for customers. Dubbed “Meltdown” and “Spectre,” the flaws affect nearly every device made in the past 20 years. The Meltdown flaw only affects Intel processors. And researchers have already released proof of concept code that could lead to attacks using Meltdown.

The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain key strokes, passwords, and other valuable information. Researchers are already showing how easy this attack works on Linux machines, but Microsoft says it has “not received any information to indicate that these vulnerabilities have been used to attack customers at this time.”

Programmers are scrambling to overhaul the open-source

Linux kernel’s virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. These changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked. However we’re looking at a ballpark figure of five to 30 per cent slow down. Depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.

Protecting a Windows PC is complicated right now, and there’s still a lot of unknowns. Microsoft, Google, and Mozilla are all issuing patches for their browsers as a first line of defence. Firefox 57 (the latest) includes a fix, as do the latest versions of Internet Explorer and Edge for Windows 10. Google says it will roll out a fix with Chrome 64 which is due to be released on January 23rd. Apple has not commented on how it plans to fix its Safari browser or even macOS. Chrome, Edge, and Firefox users on Windows won’t really need to do much apart from accept the automatic updates to ensure they’re protected at the basic browser level.

How can this security hole be abused?

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel’s memory. Suffice to say, this is not great. The kernel’s memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server. Able to sniff sensitive kernel-protected data.

Best-case scenario

Specifically, in terms of the best-case scenario, it is possible the bug could be abused to defeat KASLR: kernel address space layout randomization. This is a defense mechanism used by various operating systems to place components of the kernel in randomized locations in virtual memory. This mechanism can thwart attempts to abuse other bugs within the kernel: typically, exploit code – particularly return-oriented programming exploits – relies on reusing computer instructions in known locations in memory.

If you randomize the placing of the kernel’s code in memory. Exploits can’t find the internal gadgets they need to fully compromise a system. The processor flaw could be potentially exploited to figure out where in memory the kernel has positioned its data and code, hence the flurry of software patching.

However, it may be that the vulnerability in Intel’s chips is worse than the above mitigation bypass. In an email to the Linux kernel mailing list over Christmas, AMD said it is not affected. The wording of that message, though, rather gives the game away as to what the underlying cockup is:

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

If you own a Windows-powered PC or laptop

The best thing to do right now is ensure you have the latest Windows 10 updates. And BIOS updates from Dell, HP, Lenovo, or one of the many other PC makers. We’re hoping Microsoft or Intel creates a simple tool (they have a PowerShell script right now) to check protection for both the firmware and Windows updates, but until such a tool is available you’ll need to manually check or get familiar with PowerShell. Here’s a quick step-by-step checklist to follow for now:

  • Update to the latest version of Chrome (on January 23rd) or Firefox 57 if you use either browser
  • Check Windows Update and ensure KB4056892 is installed for Windows 10
  • Check your PC OEM website for support information and firmware updates and apply any immediately

These steps only currently provide protection against Meltdown, the more immediate threat of the CPU flaws. Spectre is still largely an unknown, and security researchers are advising that it’s more difficult to exploit than Meltdown. The New York Times reports that Spectre fixes will be a lot more complicated as they require a redesign or the processor and hardware changes, so we could be living with the threat of a Spectre attack for years to come.

Getting started with your new Windows 10 laptop

Maintenance

1 reply

Trackbacks & Pingbacks

  1. […] Windows 10 fans have been put on alert about malicious software that can slow their computers to a snail’s pace and is invisible to them. The adware was discovered by analysts from Bleeping Computer who revealed it can drain CPU resources by up to 80 per cent. […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *