Following the recent discovery of vulnerabilities in Intel, AMD and ARM CPUs, Google engineers developed a new chip-level patch that specifically addresses one of the three issues, namely the “Branch target injection” that’s also referred to as “Spectre”.
Dubbed “Retpoline”, which is derived from “return” and “trampoline”, Google’s software construct is supposed to isolate indirect branches from speculative execution, effectively protecting select binary files – that belong to the operating system or the hypervisor – from Spectre-powered attacks.
“It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly,” reads the Google post. “If it brings you any amusement: imagine speculative execution as an overly energetic 7-year old that we must now build a warehouse of trampolines around.”
Countering speculation that installing security fixes for this issue might seriously downgrade CPU performance, Google’s technique allegedly has a “negligible impact on performance”. This should excite businesses and Google Cloud customers, as some of them feared poor performance and higher costs. While Intel said performance penalties will likely differ based on workloads, Google’s announcement offers a breath of hope – at least to their customers – as they don’t seem to be very affected.
The technique has already been applied to Google Cloud, and it’s their belief that other companies can follow in their footsteps to patch at least the Spectre vulnerability without using the Retpoline technique to avoid any significant slowdowns. Testing the patch is recommended before fully deploying it in your infrastructure, as it’s likely performance penalties will vary for each use case.
To fully prevent any of the reported vulnerabilities from being exploited, it’s recommended to install the latest patches from your CPU manufacturer, to ensure cybercriminals can’t exploit either “Meltdown” or “Spectre” vulnerabilities. The same advice serves both average users and businesses, as the vulnerability can indiscriminately affect anyone using a vulnerable chip.
How to Protect Yourself?
Since every CPU produced in the past 20 years is affected by both “Meltdown” and “Spectre”, everyone from Android users to Windows and Mac owners are equally affected. So here’s what you need to do to protect yourself:
- Android users will eventually receive the patch, depending on when manufacturers and carriers push it, but Google-branded phones should receive the fixes starting January 5th 2018. Keep an eye on your Android Update notifications to install the latest version that fixes these serious vulnerabilities
- iPhone and iPad users should already be protected if their OS version is 2 or later, as the fixes were introduced with the December 2nd 2017 update. Otherwise, hit Settings > General > Software Update to download the latest version.
- Windows users running Windows 10 should check the Settings > Update & security setting to make sure they have no pending security updates. For those running Windows 10 version 1709 (Fall Creators Update), installing the Security Update for Windows (KB4056892) patch should do the trick. Otherwise, you can manually install the patch by checking the Windows Update Catalog page.
- Firmware Updates cloud also become available from your system’s vendor – as this is a hardware issue – and you might want to check out your laptop’s manufacturer support page for those as well. This shouldn’t conflict with your Windows patch, and it’s best to add as many layers of protection as possible.
- Macs contain fixes if you’re running the Mac OS High Sierra 10.13.2 update that rolled out December 6th Your iMacs, MacBooks, Mac Pros and Mac Mini should all be updated to the latest OS version, so updating your devices is now more important than ever.
- Browsers have also claimed to release patches that prevent web-based attacks. Chrome has a Site Isolation feature that enables each tab to run in its own instance instead of a single thread. Write chrome://flags/#enable-site-per-process in your address bar, look for Strict Site Isolation, hit Enable, then hit Relaunch Now. Also, Mozilla, Microsoft, Apple and Firefox stated they’ll release updated versions of their browser to prevent web-based attacks from exploiting these vulnerabilities, so keep an eye out for those as well.
As a side note, any device that has an Intel, AMD or ARM CPU is technically vulnerable, so it’s probably best to check the manufacturer’s page for any software or firmware updates.
This is a Security Bloggers Network syndicated blog post authored by Liviu Arsene. Read the original post at: HOTforSecurity