Update on processor vulnerabilities (Meltdown/Spectre)
Intel has confirmed that the microcode updates designed to mitigate Spectre variant 2 (CVE-2017-5715: Branch Target Injection) have introduced an increased risk of system instability, data loss and corruption. Intel has released an advisory recommending that users cease deployment of the current microcode update (Root Cause of Reboot Issue Identified).
In response to this, Microsoft has released an updated security advisory, Update to Disable Mitigation Against Spectre, variant 2, and associated patch which disables this specific mitigation.
The ACSC recommends that organisations cease deploying the microcode updates currently available. For systems that have already received the microcode patch, it is recommended that organisations apply vendor-supplied patches which disable the specific problematic Spectre variant 2 mitigation.
As part of this revised patch released by Microsoft, organisations have the option to manually enable or disable the mitigation. Organisations may determine that the increased risk of instability, data loss and corruption is unacceptable in order to mitigate the Spectre variant 2 vulnerability. For further information on enabling or disabling the mitigation, consult 'Disable mitigation against Spectre variant 2 independently' on Microsoft: Windows client guidance for IT pro's to protect against speculative execution side-channel vulnerabilities.
The ACSC is aware of reporting that a variety of security products (e.g. antivirus solutions) are incompatible with Microsoft's patches for the Meltdown and Spectre vulnerabilities.
The reports indicate that the Microsoft patches will successfully apply, but will cause system disruptions. For this reason Microsoft is no longer offering the security patches until the security vendors certify their products to be compatible with the patches. The ACSC recommends that organisations consult Microsoft's support website and the support websites of their OEM device manufacturers and security product vendors for specific advice relating to patching for these vulnerabilities.
For more information, please refer to:
- Guidance for patching Windows workstations: Microsoft: Windows client guidance for IT pro's to protect against speculative execution side-channel vulnerabilities
- Guidance for patching and activating mitigations on Windows servers: Microsoft: Windows security updates released January 3, 2018, and antivirus software
- Windows patch schedule and links to OEM vendor firmware updates: Microsoft: Protect your Windows devices against Spectre and Meltdown
- Unofficial list of security software that supports Windows updates: Microsoft Windows January 2018+ antivirus security update compatibility matrix
The ACSC's advice remains that organisations should patch Meltdown/Spectre vulnerabilities as soon as possible.
Recent media reporting has indicated that applying the patches for these vulnerabilities can lead to performance issues, and can impact on the availability of third party software. Vendors have advised that in most cases there will be negligible performance impact following the applicaion of the patches. For everyday users, the performance impact of applying these patches is unlikely to be noticeable.
Should organisations still be concerned about performance impacts, the ACSC recommends that you consider patching and testing plans in your environment prior to application.
For more detailed information, see 5 January 2018 update below.
What are Meltdown and Spectre?
Security researchers have developed methods involving speculative execution to read kernel memory from user space on a variety of processors from a range of vendors produced in the last decade. These methods have been referred to as ‘Meltdown’ and ‘Spectre’.
Meltdown is described as a vulnerability that allows a program to access the memory, and thus also the secrets, of other programs and the operating system. Meltdown only impacts Intel chips.
Spectre allows access to protected memory of other applications. Spectre impacts Intel, AMD and ARM chips, which includes some mobile devices.
Why is this important?
A malicious actor could possibly use this vulnerability to gain access to areas of memory they should not have permission to access. This could result in malicious actors obtaining sensitive data, such as passwords.
Many devices, including laptops, desktops and hardware in datacentres, may be vulnerable to Meltdown and/or Spectre. Vendors are working on (or have already released) patches to mitigate these issues.
While there is currently no indication that the vulnerabilities are being actively exploited by malicious cyber actors, the ACSC advises you to patch your devices as soon as possible.
What should I do now?
Patches have been released, or are expected in the near future, for various operating systems and applications likely to be impacted. This includes updates for various web browsers. Firmware patches from the vendors of affected hardware are also expected in the near future.
Some antivirus applications are currently not compatible with the security update released for Windows operating systems on 3 January 2018. Some users will have to wait until their antivirus software has been updated to apply this Windows security update. Microsoft have released guidance for Windows clients and servers.
There has been speculation that the deployment of certain patches potentially causes reduced performance. Vendors have indicated that in most cases they see negligible impact, however performance can vary. The ACSC is unable to quantify the impact, however recommends that organisations consider this in their patching plans.
For everyday users, the impact of applying these patches is unlikely to be noticeable. The risks or consequences of choosing not to patch are as yet unknown. We welcome advice on any performance impacts experienced as a result of patching.
Organisations should apply patches when available from the affected companies. It is advised that when available these should be implemented within the timeframes recommended by the ACSC (i.e. within 48 hours of release for extreme risk security vulnerabilities).
Advice for owners and customers of cloud services
Applying the patches may have a performance impact on processing capability. But on balance, the ACSC's advice is to patch systems to address potential security vulnerabilities.
Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) customers should have their environments patched by their provider. Customers should check the website of their provider to confirm the relevant patches have been applied.
Infrastructure-as-a-Service (IaaS) customers will need to apply the relevant patches to their IaaS instances.
Should you be operating at near maximum processing capacity, we recommend considering options to increase or manage capacity to minimise the potential impact of patching.
The ACSC is assessing the impact on cloud services listed on the Certified Cloud Services List (CCSL). The ACSC have engaged with these companies and they are taking appropriate action.
- Google Project Zero
- Vulnerability websites
- CVE sites
Processor vendor information
- AMD: Google Project Zero, Spectre and Meltdown
- Arm: Vulnerability of speculative processors to cache timing side-channel mechanism
- Intel: Intel issues updates to protect systems from security exploits
Operating system information
- Android: Security Bulletin, January 2018
- Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs
- Microsoft: Guidance to mitigate speculative execution side-channel vulnerabilities
- Red Hat: Kernel side-channel attacks
- SUSE: 'Meltdown' and 'Spectre' side channel attacks against modern CPUs
- Ubuntu: Ubuntu updates for the Meltdown / Spectre vulnerabilities
Web browser information
- Google Chrome: Actions required to mitigate speculative side-channel attack techniques
- Microsoft Edge and Internet Explorer: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer
- Mozilla Firefox: Mitigations landing for new class of timing attack
Virtualisation software information
- Citrix: Citrix security updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
- VMware: VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution
- Xen: XSA-254 Information leak via side effects of speculative execution