Here we are, just at the start of 2018 and we’ve had the first major bug disclosure of the year. Researchers have found a critical vulnerability in modern processors which impacts not just servers and desktops but also mobile devices.
Courtesy of Meltdown Attack.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
How This Affects Azure
As many of you will be aware, Microsoft had already scheduled in planned maintenance as part of a host upgrade to Windows Server 2016. This maintenance was accelerated as part of the vulnerability which was discovered and Microsoft took the decision to bring forward the planned reboot.
You can take a number of steps to ensure you stay secure. This is important as don’t forget this vulnerability is set to affect the majority of devices.
- Enable browser site isolation (Chrome / Firefox).
- Install the latest Microsoft update.
- Update your Android phone.
Apple is yet to announce anything for iOS, however, I understand that OS X already has an earlier update to resolve this vulnerability, this requires High Sierra to be installed.