One Year Later: Ensuring Windows is Protected from Meltdown+Spectre

2018: The year of speculative execution bugs

A year ago, in January 2018, three hardware vulnerabilities known as Meltdown, Spectre Variant 1, and Spectre Variant 2 were disclosed to the public.

Although disclosure was supposed to occur on January 9, news outlets found updates in the Linux Kernel and broke word early on January 3, kicking off the year with a pretty big headache for IT and security teams across the globe.

DevOps Connect:DevSecOps @ RSAC 2022

These vulnerabilities were described in detail in different papers and articles quite rapidly following the disclosure. A summarized way to describe the vulnerabilities would be that speculative execution, a feature used by CPUs to predict what to do next and improve performance, could be exploited to get programs to reveal information they should not have access to. The full papers are a great read.

During the first weeks, information on what patches to deploy, features to enable, and what vulnerability they actually fixed were updated daily, causing a great deal of confusion.

For example:

  • Windows Server updates did not mitigate the issue unless a new setting was enabled, due not only to potential performance issues as well as incompatibilities with AV.
  • Hypervisors, hardware and operating systems all required different software and firmware updates, making it quite hard to understand what systems were vulnerable or not.
  • The attack requires some amount of code execution, as such, web browsers were a prime target, and the first mitigations for Chrome were not enabled by default.
  • It was known hardware would (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Guillaume Ross. Read the original post at: