Since the public announcement of the Spectre and Meltdown vulnerabilities, vendors have been scrambling to release patches. It is yet unclear whether the vulnerabilities have been successfully exploited by hackers, however, well over 100 strains of malware are known to target Spectre and Meltdown, at least in proof-of-concept code (1).

 Whilst Meltdown can be largely addressed by system updates, Spectre vulnerabilities affect the fundamental design of modern processors, and patches only mitigate the risk of a successful attack rather than eliminating it completely. Patches for both vulnerabilities are known to impact performance, reportedly between five to 30 per cent (2). For the Windows OS, the Meltdown and Spectre patches also may require updates to antivirus firmware, or incompatibility could elicit the dreaded blue screen of death (3). Some disconcerting side effects of Meltdown and Spectre patching include unexpected system reboots (4) and data corruption (5). In older systems, there are even reports that updates resulted in unsuccessful reboots (6), effectively leaving users with door stoppers until IT comes to the rescue!

The vulnerabilities were first reported to the industry by Google Project Zero in mid-2017. As per convention, when new vulnerabilities are identified, only vendors are notified initially and given time to release patches before they can be exploited by attackers. In the case of Spectre and Meltdown – where the vulnerabilities had systemic impacts involving multiple vendors – there appears to be a breakdown in coordination, or more specifically how the information flow was controlled. Even the U.S. government became a spectator, as they were not informed of the vulnerabilities before they were publicly known (7). In January 2018, a tech website accurately deduced and pre-emptively published the vulnerabilities before the vendors were due to make their own scheduled notifications (8). Exactly how they deducted this is still unclear, although the updated Linux source code was available on open source channels several weeks prior (9). Vendors were not ready for the public revelations of the Meltdown and Spectre vulnerabilities, resulting in responses and fixes that had to be re-iterated in full public view. Some recommendations can be made based on lessons learned from this episode, including:

  1. Customers of cloud service providers need to monitor for service impacts post-patching; e.g. some cloud service customers noticed a performance impact upon the application of Meltdown patches (10).
  2. Organisations should review and improve their unscheduled patching processes, especially for patches with interdependences that also require large scale deployments.
  3. Organisations should improve analyses, implementation and monitoring of imperfect patches. In many cases, system administrators and others responsible for patch management were overwhelmed by the volume of information and recommendations available.

This CPU saga looks set to continue, as researchers from Princeton University have recently identified new variants, entitled MeltdownPrime and SpectrePrime (11). These variants impact dual-core CPU architectures and expose data stored across multiple processor memories. The silver lining is that patches for the original Meltdown and Spectre vulnerabilities are also effective against the new variants. Whilst the vulnerabilities can be mitigated, the patches are continuing to extract their revenge.

Missed our first blog on the Meltdown and Spectre vulnerabilities? Catch up here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.