One Year Later, Looking Back at Meltdown and Spectre Bugs

It’s been a year since the IT world experienced two of the worst bugs in history: Meltdown and Spectre. These well-known bugs are complicated to resolve, mostly due to the exploited vulnerabilities' ubiquity. Both bugs manipulate the fundamental structure of modern processors, so resolving these bugs requires most processor manufacturers to redesign the entire framework of their processors.

Intel, AMD, ARM, and even Nvidia were victims when these bugs were disclosed to the public in January of 2018. Security professionals around the globe raced to patch their machines as soon as vendors released them. OS and firmware-level patches eliminated the vulnerabilities these bugs exploit, but CPU performance took a hit. The only permanent fix that didn't impact CPU performance was at the hardware level — but that means developers had to rethink the framework of processors. Some, like Intel, already had.

Flashback to These Catastrophic Bugs

Jann Horn, from Google's Project Zero team, was first to discover the vulnerabilities that Meltdown and Spectre exploited. After these bugs were identified and reported, temporary patches were deployed, but unfortunately, many of these patches affected device performance.

Meltdown targets a vulnerability that exists between a system and the applications running on that system, while Spectre targets a vulnerability between the applications themselves. Spectre is often considered to be more problematic than Meltdown due to how complicated it was to resolve.

New Variants of Meltdown and Spectre

In May of 2018, two new variants of Meltdown and Spectre were reported:

The first was Rogue System Register Read, a vulnerability that potentially allows cybercriminals with local access to read system data through side-channel analysis. This could allow them to steal business-critical information.

The second was a Speculative Store Buffer Bypass, a subgroup of the speculative execution side-channel vulnerability that Meltdown and Spectre use.

Reports in the Wild

Though there were no reports in the wild of Spectre and Meltdown being maliciously used, security firm AV-TEST released a report indicating in February 2018 that there were 139 different types of malware related to these CPU vulnerabilities.

The issue with the Meltdown and Spectre bugs is that they leave no trace in traditional log files. A user or admin will never be able to track a cybercriminal's path if they use either of these bugs.

Fix From Intel Corporation

Intel has introduced 9th generation processors that include permanent fixes to the vulnerabilities that Meltdown and Spectre exploit.

At Intel's Fall Desktop Launch event, they stated "...[our] new desktop processors include protections for the security vulnerabilities commonly referred to as 'Spectre,' 'Meltdown,' and 'L1TF.' These protections include a combination of the hardware design changes we announced earlier this year as well as software and microcode updates."

Best Practices to Enhance Cybersecurity for 2019

1. Always keep your software and hardware updated. Utilize automated patching procedures, specifically with options for customization.
2. Enforce privileged access management onto business sensitive data.
3. Update your devices. This one may require some time, but it seems like upgrading to the newest generation of processors can be an option for eliminating these bugs from your network without sacrificing performance.
4. Cyber awareness also equally contributes to building and sustaining an effective cybersecurity strategy. Keeping up-to-date with cyber trends can be highly beneficial to combat unforeseen threats. Take this quiz to self evaluate your cyber knowledge.

Upgrading all your hardware can take a while, so make sure you deploy the necessary patches, in the meantime, to keep your system free from these speculative execution flaws. Looking back at these major bugs in 2019 will remind us how critical regular patching is and why businesses should never take cybersecurity procedures lightly. Patching can also help businesses defend against ransomware, which has become a persistent threat over the last few years.

Cybersecurity Ventures predicted that ransomware will cost businesses across the globe an estimated $11.5 billion by the end of 2019. Is your business secure enough to face the new year? Start the new year off right by making sure all your systems and applications are up to date.