Threat Advisory: Meltdown & Spectre
According to the team at Graz University of Technology that responsibly disclosed the new bugs, Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include passwords stored in a password manager or browser, personal photos, emails, instant messages and even business-critical documents.
Meltdown is so named because the bug basically melts security boundaries which are normally enforced by the hardware. Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus data, of other programs and the operating system.
According to reports, every Intel processor since 1995 (except Intel Itanium and Intel Atom before 2013) are potentially affected by Meltdown. ARM processors are also affected, but AMD has stated there is “Zero AMD vulnerability due to AMD architecture differences.”
Spectre (CVE-2017-5753 and CVE-2017-5715)
Spectre got its name from its root cause, speculative execution. As it is not easy to fix, its name implies that the researchers think it will haunt us for quite some time. Spectre breaks the isolation between different applications, and allows an attacker to trick error-free programs into leaking their data.
Almost every system is affected by Spectre. More specifically, Spectre vulnerability has been verified on Intel, AMD, and ARM processors. Additional exploits for other architectures are also known to exist. These include IBM System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little Endian).
How to protect mobile devices from Meltdown & Spectre vulnerabilities
Operating System Patches
Apple and Google both stress that there are no known exploits impacting customers at this time.
To help defend against the bugs, Apple and Google have both released patches.
- Android users should have security patch levels of 2018-01-05 or later, as documented on January 5 as part of the Android January security patch update.
How Zimperium zIPS Helps
No app, including zIPS, can immediately detect attacks on the hardware itself since apps do not have privileged access to device hardware. However, zIPS can help in two ways:
- Identify devices running outdated operating systems that are not protected by the iOS and Android patches.
- Detect malicious apps and device exploitation attempts via its industry leading, machine learning-based threat detection technology.
- Apps: According to Apple, exploiting many of these issues requires a malicious app to be loaded on your iOS device. zIPS can detect malicious apps via a combination of machine learning, static and deterministic approaches.
- Device Exploits: If an attacker wants to compromise a device, then there are additional steps required–steps that zIPS will detect on-device. For example, a kernel exploit would trigger our system tampering warning.