May 22, 2018

Spectre Meltdown Update

More Articles

Information security researchers have found two major security vulnerabilities, dubbed “Meltdown” and “Spectre,” that affect the processing chips in almost every computer made in the last 20 years (including mobile phones, embedded devices, cloud computers, etc.).
These vulnerabilities could allow attackers to steal data, including passwords and other information previously thought to be inaccessible, from almost all types of computers and devices. The Meltdown vulnerability affects only Intel processors, whereas the Spectre vulnerability affects Intel, AMD, and ARM processors.

See the linked risk advisory for more information about mitigation efforts. A deeper dive into this class of vulnerabilities is below.

Go to Risk Advisory


There are several vulnerabilities affecting almost all modern processors:

  • CVE-2017-5753 (“Spectre” variant 1, bounds check bypass)
  • CVE-2017-5715 (“Spectre” variant 2, branch target injection)
  • CVE-2017-5754 (“Meltdown”, rogue data cache load)

This post isn’t about these specific vulnerabilities or their technical implications; it is intended to discuss why this type of vulnerability is so difficult and painful to mitigate, and what can be done in cases where the hardware vendor won’t help you.

One of the “Spectre” variants (branch target injection) requires a CPU microcode update. These are usually supplied as part of BIOS updates from device manufacturers. There are large numbers of older computing devices, including desktop computers, phones, and other embedded devices, which may never get the required BIOS updates. Such devices are likely to remain vulnerable to exploits of this type until they are replaced.

This class of vulnerabilities has called attention to challenges in firmware lifecycle management processes industrywide, including:

  • It’s difficult to even know when BIOS and firmware updates are available, let alone whether they’re critical.
  • Finding the right update for your hardware can be a chore.
  • Installing firmware and BIOS updates is frequently a labor—intensive process, often requiring manual interaction with every device.
  • Firmware support policies vary wildly. Some vendors are slow to release updates, and it is frequently true that owners of old or out-of-warranty hardware won’t get them at all.

It used to be assumed that the only risk of running older hardware was that availability might suffer if it fails. There is now an increasingly significant risk that old hardware also threatens confidentiality and integrity of data through firmware exploits. This issue will continue to haunt us long after it has faded from the mainstream media and IT admins have moved on to the next doomsday threat. It is not hard to foresee a fire drill in the not-too-distant future when a weaponized exploit for Spectre is deployed and old computers which never got microcode updates are sitting ducks.

These questions need to be considered:

  • How do we effectively manage the microcode updates required to mitigate the recently publicized processor bugs?
  • Is there anything to be done for hardware from vendors that can’t or won’t issue updates?
  • How do we nudge the industry to raise the maturity level of firmware lifecycle management—including vulnerability notification and firmware update processes—to the same level as we generally have for software today?