SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 73: Meltdown, Spectre and You!

Posted on January 25, 2018

Have you recently seen tech headlines “melting down” about a major bug in computer processors? Do all the headlines about “Spectre” make you wonder if a ghost is haunting your Mac? What’s this all about, and what’s really going on here?

On today’s edition of The Checklist, we’re tackling the complex topics of Spectre and Meltdown, arguably two of the biggest and most far-reaching security vulnerabilities we’ve ever seen. Among those impacted are everyone from iOS and macOS users to Windows machines and just about anything powered by an Intel processor around the world!

On our list for today’s discussion:

  • What are Spectre and Meltdown?
  • Who do these vulnerabilities affect?
  • What has been done to fix the problem?
  • How these issues affect Apple devices
  • What the future holds for these flaws

Let’s kick things off by diving right into the issue, cutting through the jargon, and breaking down exactly what makes these flaws so serious and concerning.

What are Spectre and Meltdown?

Before we can get into addressing all the actions taken by tech giants since the disclosure of these problems, we need a good working definition for what they are. Altogether, there are three distinct flaws at play here: one called Meltdown, and two separate but related vulnerabilities that both get the name Spectre. Each of these flaws rely on exploiting problems surrounding a special type of work done by the Intel processor called “speculative execution.” It helps to understand how speculative execution functions so we can paint a picture of just how serious these vulnerabilities really are.

CPUs today handle a ton of work, calculating millions of operations every second and coordinating the action of everything that goes on inside your computer or mobile device. To make sure everything works out properly and to minimize the effects of latency as much as possible, processors employ a number of clever tricks to stay ahead of the game when it comes to executing instructions. That includes processing things out of order from which they were received. That’s where “speculative execution” comes into play.

Think of a program’s code as a long, branching path, and your CPU runs along the path the code tells it to follow. When it reaches a fork in the road, the CPU has to wait for the program to tell it which way to go. If idle resources are available, the CPU “speculates” about what it would be like to go down the path it thinks is the most likely next choice. It takes all the actions it thinks it would need to perform if its choice is correct and stores that data.

When the instructions do arrive, the CPU is immediately ready with the results. When its speculation is incorrect, the CPU undoes all its prior calculations, throws away its results, and simply returns to the original fork in the road. From there, the CPU proceeds to carry out the next set of instructions. To the software and the user, there’s no indication of the unnecessary work performed.

This is a very simplified explanation, but the general concept should be clear — your processor does a little guesswork to try and anticipate what software will need to do next. If it’s right, it’s able to think faster than your software, storing the answers until they’re needed. If it’s wrong, it hasn’t lost any important time and nothing has been harmed.

This all happens so fast it’s not something the average user would even be aware of in daily life. However, it turns out that there are some fundamental security flaws in the way a number of processors handle some parts of speculative execution. These flaws open the door to allowing the bad guys to fool a processor into storing sensitive information. Knowing all this, we can now finally break down how each of these flaws work!

First up is Meltdown, which directly attacks the way speculative execution handles accessing privileged information. As you might remember from some of our previous discussions, there is a part of your system’s memory called the “kernel” — this is where all the most important and privileged data stays, and it’s how your Mac knows how to work directly with the CPU.

In all normal operations, kernel memory stays walled off and only very restricted software with the correct permissions can read from memory in the kernel space. During speculative execution in some chips, though, everything occurs so quickly that the CPU can be fooled into reading data from the kernel before it realizes it is not authorized to do so.

To exploit Meltdown, a hacker would need to use a program to tell the processor to access something in the kernel while also supplying a number of other requests for kernel data. The first request causes an error due to the incorrect permission, but during the time to takes for that error to occur, the CPU has already read other data in protected memory based on the additional instructions. Though it then discards this information, it does not fully delete it —it lingers temporarily in the processor’s cache.

The exact method for obtaining this information out of the cache is esoteric, but the important detail is that sensitive data is present. This could be anything from an image file to a user’s password or credit card numbers. Almost any program properly manipulated by malware could be used to trigger Meltdown — including web browsers. Though tough to exploit, the amount of data that it could expose makes Meltdown a major threat.

What about Spectre? The two vulnerabilities in this class are even more difficult to execute, but they can also allow attackers to gain access to highly privileged and sensitive user information. The attacks have been given specific names, “bounds check bypass” and “branch target injection.” In both cases, a hacker would work to deliberately “mis-train” the system that the processor uses to predict branching decisions in software. The attacking program can then trick the CPU into trying to retrieve data from a restricted area of memory. Rather than reading the cache directly, as in Meltdown, Spectre attacks use a “side channel” to find out what it wants from the CPU.

It’s tough to explain, but even tougher to do — for now, Spectre attacks in particular are very hard to pull off. The security researcher’s at Google’s Project Zero created a proof of concept attack program using Spectre vulnerabilities, and in order to use it, the software needs 30 minutes to load up and prepare first! When was the last time you waited 30 minutes for any program to start?

However, regardless of the difficulty, the reality is that both Spectre and Meltdown are serious threats. Neither of them leave any trace behind that researchers know of — traditional log files don’t capture any of the information involved in this exploits. With the ability to read almost any desired information on a computer silently, they could pave the way to serious malware threats. So how widespread are these flaws in today’s computer hardware?

Who do these vulnerabilities affect?

A better question might be “Who don’t these vulnerabilities affect?” Almost every device manufactured over the last two decades (roughly since the introduction of speculative execution into modern chips) is vulnerable in some way or another to these flaws. As the news initially broke about the existence of these problems, there was a great deal of confusion as to who was and was not affected. Now that the dust has settled, it’s easier to discern exactly where the risk lies.

In particular, Meltdown is a flaw that is almost exclusive to Intel processors, although some other processors, such as ARM CPUs, are also affected. AMD says that based on the specific design of their processing architecture, their chips aren’t susceptible to Meltdown at all. Even so, consider just how many chips Intel supplies to devices around the world — from Macs and PCs to mobile devices, servers, and other critical computing hardware. There could be millions or even potentially billions of devices that could fall victim to attacks using the Meltdown flaw.

What about Spectre? Both the “branch target injection” and “bounds check bypass” variants of Spectre also work on practically every CPU out there, including AMD, Intel, and ARM chips. Because Spectre relies on using a compromised program to read information out of memory in another program, based on false patterns learned by the CPU, it is harder to defeat than Meltdown. In the initial mitigation efforts suggested by the security consortiums researching Spectre, the primary fix they proposed was hardware redesign and replacement.

In other words, the only way to truly eliminate Spectre is to fundamentally redesign the way CPUs work. However, it’s easy to see why the ultimate decision was to reword the recommendation to prioritize software patches. There are simply too many chips out there to replace, and the cost would be enormous.

All the major tech companies, from Microsoft and Google to Intel, AMD, and others, have all been engaged in massive effort to develop fixes and release patches. We’ll go into more detail on the way those fixes have been rolling out, alongside their aftermath, but first another question: did these vulnerabilities catch everyone by surprise? It seems like they just exploded into the news out of nowhere.

In reality, both problems were discovered last year, in 2017. Three separate groups of researchers, including Google’s Project Zero, independently arrived at many of the same conclusions that led to the formal classification of Meltdown and Spectre. In June, Intel and AMD received information about the Spectre flaws, and once confirmed, information about Meltdown was passed along in July. This kicked off an intensive period of research and development, and by November, Intel was informing many of its biggest partners about the existence of the flaw.

While development of patches continued and some were rolled in a limited fashion out by Google, Microsoft, and some others, the bulk of the work had yet to be done. By the beginning of January, many people were beginning to notice the flurry of activity, alongside degraded computer performance from systems that had been updated. As the media began to piece together the details of the vulnerabilities, Google chose to disclose information about the flaws themselves ahead of schedule. As word spread of flaws that hit almost every computer, many people began to ask: “Am I safe?”

What has been done to fix the problem?

The answer to that question is twofold: “it’s complicated” and “it depends.” We’ll tell you all about what Apple’s done — and what you can do — to fix this issue in a moment. The general response to these threats is just as important as Apple’s specific efforts, though, because there are so many devices affected. As news broke, the rush to provide peace of mind to users was on — and that led to some more problems on its own.

Meltdown patches went out the door first for services that had not yet received them; Google and Amazon, for example, had already issued patches internally. Microsoft began to roll out patches for Windows, and Intel also stated they were close to issuing firmware updates to mitigate the effects of the attacks. Some issues immediately became apparent.

Due to changing many of the fundamental ways the CPU worked to fix these issues, users often began to notice slowdowns immediately. While Intel itself claimed that their fixes would induce no more than a 10% loss in computing power, older machines were badly affected and performance could severely degrade when undertaking CPU-heavy operations. At one point, the company even suggested not installing the updates it had supplied, saying a better fix was on the way. Meanwhile, Google continues to research the issue and has even described a mitigation method that reduces the impact of the fix and boosts speeds closer to normal.

Complicating the rollout after the public announcements, some fixes caused machines to become locked in reboot cycles, or to refuse to boot at all. After the initial rush to patch devices, the pace slowed down. We’ve now seen a steady stream of more stable patches coming out from the major publishers.

Spectre patches have proven more difficult to develop, and they’ve made it to users more slowly. All the major browsers and operating systems now have corrections in place to make it harder to attack those flaws, though, and over the coming months we can likely expect more sophisticated changes and corrections to appear.

Although no malware exploiting these issues is yet known, this is also a good time to remind our listeners to keep your anti-malware/anti-virus solution installed and up to date. Because a malicious program needs access to your system to steal data through these three methods, the simplest way to prevent any problem is to ensure no malware makes it onto your machine in the first place. After that, it’s time to check to see if you’re up to date on your operating system and web browsers.

How these issues affect Apple devices

With that in mind, where do Mac and iOS users stand in all this? As it turns out, Apple has been relatively on the ball when it comes to staying ahead of the game with Spectre and Meltdown. That being said, these flaws do affect Apple devices — everything from your desktop Mac to your Macbook, iPhone, and iPad could be susceptible to hackers leveraging the attacks. Only the Apple Watch comes out unscathed due to the unique processor it uses. However, if you’ve been keeping up on your updates to macOS and iOS, chances are good that you’re already protected against the most serious issues.

Apple patched Meltdown on its devices almost a month before the news broke into the media. Those updates includes iOS 11.2, macOS 10.13.2., and tvOS 11.2. All these updates came out in mid-December, though the patch notes at the time did not make explicit mention of the Meltdown issue. This was likely due to non-disclosure arrangements in place with Intel and others still working on correcting the issue. If you’ve updated your devices to these versions already, you should be safe from Meltdown. Some iPhone users have reported slower performance, like those on Windows PCs, but so far any widespread effects of the fix have been limited.

Since Apple products remain vulnerable to Spectre as well, a new round of patches to correct it have also recently gone out the door. These include a supplement to macOS 10.13.2 alongside iOS 11.2.2. El Capitan also got an update. To close the door to any JavaScript and browser-based versions of the Spectre exploit, an update to Safari was also released. Upgrading to these latest versions as soon as possible is the path we recommend, especially as performance issues remain limited.

What about older hardware, though? The new iOS update, for example, only applies to the iPhone 5s model and forward. As for the macOS updates, only High Sierra and El Capitan received the fixes, and it appears that Yosemite and older versions of the OS will not be patched. If Apple intends to issue such updates, they haven’t made any indications about their intentions. Unfortunately, this means that users on these older systems will remain vulnerable to these flaws. Products from the PowerPC era (i.e., before the 2006 switch to Intel chips in Apple computers) are safe from Meltdown, though the impact of Spectre is still unknown.

As attackers learn more about them and work to develop methodologies for exploiting them efficiently, it is possible that they will set their sights on whatever hardware is still vulnerable. Thus the only way to avoid the risk for an older machine is to upgrade to a newer version. However, Apple has noted that for now they do not believe any active exploits for Spectre and Meltdown have been used to attack their platform. With the increased threat, however, it may be time to take a serious look at retiring older Apple devices in favor of newer, more secure products.

Otherwise, simply update to the latest version and stay on top of any additional patches Apple issues in the coming months. As we learn more about mitigating Spectre, additional tweaks may become necessary. Remember, there is no clear way to tell whether you’ve been affected by someone using one of these attacks. The security experts in Cupertino do believe it is very hard to attack the Mac, though, and there likely hasn’t been time for hackers to develop effective malware in this domain yet.

What the future holds for these flaws

We know, of course, that just because there aren’t any active attacks now doesn’t mean that will always be the case. According to some researchers, we’re likely to see both of these attacks eventually come to occupy a standard place in the hacker’s toolkit. The fact is that even with patches available, not everyone will update their devices quickly. Many devices, such as mobile phones and all kinds of third-party hardware, will only get updates piecemeal or spread out over time. The result is that there will likely remain a very large attack surface for hackers to exploit.

The good news is that Apple devices are already protected again. The bad news is that not all your other hardware may be — so it’s important to keep an eye out for updates that could come down the pipeline. We can probably expect the process for fixing Spectre especially to take some time. In the meantime, the ramifications for the world of technology in general are harder to pinpoint.

We can certainly expect architectural redesigns in future editions of chips, but Intel has a great deal to answer for in relation to its handling of these problems. There’s even an unfolding story surrounding Intel’s CEO selling millions of dollars worth of stock in the months prior to Meltdown’s public disclosure. Whether it was above board remains to be seen, but the confusing response and irregular fix rollout will stick on their reputation for some time.

Meanwhile, we’ll have to watch, wait, and see if these developments kick off the creation of whole new families of malware. For now the overall risk to the average user remains small, especially for some Spectre attacks that require more direct access to your devices. Stick with us as we watch this story throughout this year.

It is hard to think of another security incident as large in scope and severity as this one — and with flaws present in almost every chip out there, these are fundamentally different beasts to the software problems we usually deal with here on The Checklist. For now, rest assured that Apple has taken appropriate steps to get these fixes out the door — and if you’re still lingering on an older system that won’t receive any patches or updates, now might be a good time to consider an upgrade.

Join our mailing list for the latest security news and deals