Details of CPU Security Flaw Emerge from Microsoft, Others

This week's disclosure of a far-reaching CPU security vulnerability has prompted a raft of responses from OS vendors, researchers, chip makers and security software providers.

The security issue -- for which US-CERT issued an alert on Wednesday -- is a big one because it can disclose passwords and encryption keys via malware on most devices. It potentially affects mobile devices, client devices and servers (including public cloud services), running both new and old operating systems, both Windows and Linux.

The general consensus so far seems to be that consumers will be safe if they keep their systems patched (typically through automatic updates), although applying a firmware patch to the system's CPU may be required of them, too.

IT pros, on the other hand, will be beset by chasing down various vendor details. In some cases, the OS patches they are expecting won't arrive if their anti-malware vendor isn't compliant with certain requirements.

All Devices Affected
Early press accounts this week had described the problem as somewhat specific to Intel CPUs. Intel later issued a statement contesting that implication, and clarifying that the problem isn't considered to be a flaw. Rather, it's an approach using "analysis methods" that can tap into the normal operations of a CPU to steal information.

The general researcher and vendor consensus appears agree that all chip maker processors -- from Intel, AMD and ARM Holdings -- are subject to these attack methods, which use a "side-channel" method to tap information from the OS kernel. The attack approach analyzes something that processors do called "speculative execution." It's an approach the processor uses to anticipate the next steps to be taken by the OS kernel. Alas, that information can be disclosed if malware is on the machine, researchers have found. Passwords can be stolen as a consequence, but since the malware is using normal techniques used by the processor, anti-malware typically won't detect a problem.  

AMD appears to be the only holdout among chip vendors contending that its processors are largely unaffected if forthcoming OS patches get applied. AMD representatives have made that claim to news media and in a Linux kernel technical forum post, as well as in this announcement.

A spokesperson for ARM Holdings confirmed via e-mail that the CPU speculative execution exploit techniques affect its high-end processors, "including some of our Cortex-A processors," although the low-power Cortex-M processors used in Internet of Things (IoT) devices aren't affected.

"This is not an architectural flaw; this method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory," the ARM Holdings spokesperson clarified.

ARM Holdings has worked with AMD, Intel and partners on the mitigations. Its information about the CPU problem can be found at this site, which has links to a whitepaper and a useful FAQ.

Intel announced that it has started providing software and firmware updates to address the exploits.

"End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any updates as soon as they are available," the announcement explained. The exploits aren't instituted remotely but depend on malware being present locally on a machine, Intel clarified.

Early news reports had described a possible 30 percent performance hit from applying the updates, but Intel's announcement downplayed the idea:

Performance on some workloads or benchmarks may be impacted and will vary depending on the microprocessor and platform configuration (hardware and software). While some specialized workloads may see a noticeable performance impact, for most users any impact will be modest.

Meltdown and Spectre Attack Methods
Perhaps the best explanation of the CPU information disclosure problem comes from researchers at the Graz University of Technology in their description of the "Meltdown" and "Spectre" bugs, which are two aspects of this CPU security problem. It's true, per the researchers, that there are processor differences regarding these attack methods.

Meltdown gets its name because it "melts the security boundaries which are normally enforced by the hardware" and it affects Intel processors. It's "unclear" if Meltdown affects AMD and ARM processors, the researchers indicated. Spectre, named after the "speculative execution" processor function, is the bigger problem to address. With the Spectre attack approach, "all modern processors capable of keeping many instructions in flight are potentially vulnerable," the researchers indicated, adding that "in particular, we have verified Spectre on Intel, AMD, and ARM processors."

The researchers don't know if the CPU attack techniques have been used "in the wild" yet. An in-the-wild attack means that the exploit has surpassed the theoretical realm and is an ongoing threat for organizations and individuals. IT pros, for their part, won't be able to detect the attacks by reviewing traditional log files. Moreover, anti-malware solutions are unlikely to detect the attacks, as well, the researchers indicated.

IT pros can find helpful links at the end of the Graz Institute's article about the CPU problem. There are links to specific security advisories released by various vendors, for instance.

A technical discussion on the CPU security issue is described in Google's Project Zero post, "Reading Privileged Memory with a Side-Channel."

Project Zero researchers first privately told AMD, ARM and Intel about the problem on June 1, 2017. They first openly published information about it on Jan. 3, 2018. That publication likely prompted software and hardware vendors to release a flood of information this week, since the exploits are now publicly exposed.

According to Project Zero researchers, the attack methods have three variants:

The Spectre attack approach uses variants 1 and 2, while Meltdown taps the variant 3 approach, according to Project Zero researchers. Google also published a more general announcement about the CPU vulnerability in this post, which also describes how Google products may be affected.

Microsoft's Early Patch Release
Microsoft, for its part, on Wednesday released patches in advance of its Jan. 9 "update Tuesday" security patch release, possibly because this researcher-discovered issue is now openly described. A Microsoft spokesperson indicated via e-mail Wednesday that it had closely worked with chip manufacturers on the issue, and was releasing the updates:

We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.

Microsoft issued a Security Advisory (ADV180002) on Wednesday describing its updates and recommended actions. Consumers should use its automatic update service, but they may have to apply a firmware update to the CPU, as well. Microsoft offers advice for IT pros regarding Windows clients here, and for Windows Server here.

There's also a catch concerning anti-malware solutions, which need to be "supported" or "compatible" applications before getting Microsoft's updates. The updates won't arrive if the anti-malware isn't deemed to be compatible. The restriction, which avoids potential blue-screen problems, has to do with anti-malware that makes "unsupported calls into Windows kernel memory," according to a Microsoft support article:

The compatibility issue is caused when anti-virus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.

The anti-malware vendors have to set a Windows registry key to be compatible. A running list of those vendors and their compatibility status is tallied at this page, which was posted by a forum participant.

Microsoft on Wednesday also rebooted the majority of Azure virtual machines in advance of its Jan. 9 maintenance window to apply its security updates for its public cloud services, according to an announcement. Most Azure customers "should not see a noticeable performance impact with this update," it added. Organizations don't have to take any action besides maintaining good security practices. Microsoft's Azure reboot "does not require an update to your Windows or Linux VM images," the announcement explained. It's possible to see that the VM reboots were completed via "the Azure Service Health Planned Maintenance Section in your Azure Portal," Microsoft explained.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.