Spectre and Meltdown are hardware vulnerabilities that allow an attacker running unprivileged code to read from privileged memory. For example, it allows a user-mode program such as notepad to read entire kernel memory. An attacker can leverage this as part of a privilege escalation attack or under some scenarios in remote exploits. Malware that attempts to leverage it will still need to gain access to the machine and execute like any other malware. Thus enSilo will be able to block malware that tries to leverage this flaw.
Meltdown vulnerability is restricted to Intel Processors. However, Spectre vulnerability affects all server, workstation on mobile systems and operating systems like Windows, Linux and macOS. It was shown to work on ARM, Intel and AMD processors.
- Vulnerability: is a flaw in a system, or in some software in a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself
- Exploit: is the implementation of a one or more vulnerabilities in order to carry out some form of malicious intent, such as a denial-of-service attack, infiltration, privilege escalation, ...
- Malware: short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs.
- Evasion: bypassing an information security device in order to deliver an exploit, attack, or other form of malware to a target network or system, without detection.
Spectre and Meltdown vulnerabilities can be used by hackers to read privileged memory. One such use case is to leverage this as part of a privilege escalation exploit in order to take over the affected systems. Spectre can also be leveraged as part of remote exploitation scenario. For example, an attacker can leverage Spectre in order to read the entire address space of a browser process remotely by crafting malicious javascript code, note that in order to fully exploit the browser another unrelated vulnerability will be needed.
The software patch that was released dubbed Kernel Page-Table Isolation (KPTI) mitigates the attackers capability to read privileged data from the operating system memory. However, the patch also have a side-effect that may cause 40% system slowdown.
AV and NGAV will not be able to defend against Spectre and Meltdown vulnerabilities explicitly but may be able to detect and stop malware attempting to exploit these vulnerabilities.
Organizations can do the following to protect against Spectre and Meltdown vulnerabilities.
- Patch Systems: Install Kernel Page-Table Isolation (KPTI) patch on all Windows, Linux and other systems.
- Multi-Layered Security: To complement pre-infection defenses, like NGAV, we suggest deploying post infection protection capabilities, like enSilo’s endpoint security agent. enSilo software has full kernel level visibility on the endpoint and can malware threats, that utilize Spectre and Meltdown vulnerabilities, in a real-time basis.
enSilo had early access to the Windows patch released by Microsoft on January 4, 2018 and had been thoroughly testing it during the past month. Updates are required to the existing enSilo platform in order to be protected from attacks that are leveraging this vulnerability. enSilo’s pre and post infection prevention capabilities can fully protect against malware that leverages these vulnerabilities.
enSilo Cloud Infrastructure runs on Google Cloud which has implemented protections to ensure virtual devices running in the Google Infrastructure are not at risk from this vulnerability.