Although there is no real exploit attack in the world at present, theoretically all CPUs that can access virtual memory may be maliciously accessed, and important information that should be protected, such as passwords and application keys, are also at risk.
Judging from the current situation, most mass-produced processors since 1995 may be affected by the above vulnerabilities and involve most general operating systems. Although Intel is the mainstay, most mainstream processor chips such as ARM and AMD are also affected by vulnerabilities. Accordingly, mainstream operating systems such as Windows, Linux, macOS and Android, and terminal devices such as computers, tablets, mobile phones and cloud servers using these chips are all affected by the above vulnerabilities.
Unfortunately, Intel itself can't solve this vulnerability through firmware upgrade, which leads operating system developers such as Microsoft and Apple to seek patch methods one after another.
On June 4th, 65438, China National Vulnerability Database recorded these two vulnerabilities and rated them as "high risk".
Subsequently, local network security departments issued security reminders. 10/5,65438, Shanghai Netcom Office issued an early warning notice to the directors and operating units of key information infrastructure in this city, requiring all units to start emergency plans for network security and take countermeasures.
Network security experts said that although the vulnerability has a wide impact and attracted global attention, the cloud service vendors are the most affected, and ordinary users need not be too alarmed.
Q: How was the vulnerability attacked?
Under normal circumstances, normal programs can't read the data stored by other programs, but malicious programs can use Meltdown and Spectre to obtain the private information stored in the memory of other running programs.
Specifically, according to experts from Tencent's computer housekeeper security team, users with low permissions can access the contents of the kernel and obtain the underlying information of the local operating system by using the Meltdown vulnerability. When a user visits a website containing Spectre malicious exploitation program through a browser, the user's personal privacy information such as account number, password and email address may be leaked; In the cloud service scenario, Spectre can break through the isolation between users and steal other users' data.
At present, the vulnerability verification code (PoC) has been published, and the technical details are not repeated here. Tencent's security team has actually verified that the vulnerability can successfully read the contents of any specified memory address under Windows, Linux, Mac OS and other operating systems.
Q: What is the principle of vulnerability?
These two groups of vulnerabilities come from new functions introduced by chip manufacturers to improve CPU performance.
In order to improve the processing performance, modern CPU will adopt out-of-order execution and predictive execution. Out-of-order execution means that the CPU does not execute instructions in strict order, but groups the instructions in parallel according to the correlation, and finally summarizes the results of each group of instructions. Predictive execution means that the CPU predicts the result of a conditional judgment according to the currently available information, and then selects the corresponding branch to execute in advance.
Out-of-order execution and prediction execution When encountering an exception or finding a branch prediction error, the CPU will discard the results of previous execution, restore the state of the CPU to the correct state before out-of-order execution or prediction execution, and then select the corresponding correct instruction to continue execution. This exception handling mechanism ensures the correct execution of the program, but the problem is that the contents of the CPU cache will not be restored when the CPU is restored, and these two groups of vulnerabilities take advantage of this design flaw to carry out channel measurement attacks.
Q: Why has the shocking loophole been hidden for so long?
The vulnerability was discovered by security researchers at least at the beginning of 20 16, but Intel didn't finally admit the vulnerability until the beginning of this year. The Wall Street Journal quoted security experts as saying that Intel did a terrible job in disclosing this incident.
In August, 20 16, at the Black Hat Cyber Security Conference held in Las Vegas, USA, two researchers Anders Fogh and Daniel Gruss showed the early signs of vulnerabilities. Fogg also published a blog post in July last year, encouraging other researchers to investigate.
At the same time, Jann Horn of Google's internal security research team Project Zero has discovered this problem and informed Intel. Finally, three other research teams from all over the world contacted Intel on the same issue, and Intel then communicated with them and wrote a paper.
But this chip vulnerability can be traced back to at least 20 10 years, and the general architecture principle that brought this vulnerability has a history of several decades. Then why didn't Intel find the vulnerability earlier? Intel did not respond positively to this question.
Dr. Meng Kui from the School of Cyberspace Security of Shanghai Jiaotong University said that there may be two reasons for the full-scale outbreak of this security vulnerability at this point in time. First of all, Intel's repair efficiency is low and the progress is too slow, causing pressure on the industry; Second, because the information of the vulnerability has been leaked for a long time, it may be exploited by attackers. Therefore, measures must be taken immediately. "
Q: Are there any reports of malicious attacks?
Tencent, 360 and other security vendors all said that no known cases of exploiting these vulnerabilities have been found.
The National Cyber Security Center said that there was no evidence that Meltdown and Spectre were used to steal data, but the nature of the attack made them difficult to detect.
Zheng, general manager of 360 Core Security Division and head of Vulcan team, told the newspaper that although attackers can use this vulnerability to steal privacy, they cannot control computers, enhance permissions or break through the isolation of virtualized systems. In addition, the vulnerability can't be exploited remotely, and it can't be attacked when users don't have any interaction like the "eternal blue" vulnerability.
Tencent security experts said that although the details of vulnerabilities and PoC have been made public, they cannot be directly applied to attacks. There are still many details to be solved when vulnerabilities are applied to real attacks. At present, there is no stable and universal exploit code that can cause obvious serious consequences (stealing account passwords, etc.). ).
Q: What is a bug fix?
According to the British "Guardian" report, because the vulnerability is caused by the design defect at the bottom of the chip, it will be very complicated to repair, and it is difficult to repair it perfectly.
Zheng said that the vulnerability of CPU hardware is difficult to fix, and it is impossible to solve this problem only through the security update of CPU manufacturers (such as upgrading CPU microcode). Fixing these vulnerabilities requires the cooperation of operating system vendors, virtualization vendors, software and hardware vendors, browser vendors and CPU vendors, and complex and extremely in-depth modifications can completely solve the problem.
After the vulnerability was exposed, various chip vendors, operating system vendors, browser vendors, and cloud service vendors responded one after another, actively taking measures, issuing security bulletins, and timely launching mitigation measures and patches.
Intel recommends paying attention to the subsequent chipset update and motherboard BIOS update; Linux released KAISER's vulnerability to meltdown; MacOS was fixed from 10. 13.2; Google said it has been fixed; Win 10 Insider was repaired at the end of last year; Win 10 qiuchuang update released KB4056892, which will be installed automatically; Amazon AWS subsequently announced the guidance plan; For the more difficult Spectre vulnerability, manufacturers are still solving it.
In response to this loophole, the Shanghai Netcom Office has taken urgent measures. First, closely track the latest situation of vulnerabilities and timely assess the impact of vulnerabilities on the system of the unit. The second is to track patches released by test chip manufacturers, operating system manufacturers and security vendors in time, and make a repair work plan and install it in time on the basis of comprehensive and prudent evaluation. The third is to further strengthen the network security protection of key information infrastructure, strengthen network security protection and threat intelligence collection, and report network security incidents to the Municipal Network Information Office in a timely manner.
Q: How do ordinary users guard against vulnerabilities?
At present, netizens can protect themselves through the following security strategies:
1. Upgrade the latest operating system and virtualization software patches: currently, there are Microsoft, Linux, MacOSX, XEN, etc. All have introduced corresponding system patches, which can prevent these vulnerabilities from being exploited after upgrading;
2. Upgrade the latest browser patches: At present, Microsoft IE, Edge and Firefox have all introduced browser patches, which can prevent these vulnerabilities from being exploited after upgrading;
3. Wait or ask your cloud service provider to update the virtualization system patch in time;
4. Install security software.
Tencent security experts said that the main harm that the vulnerability may cause is to access the webpage with exploit code with a browser, resulting in the disclosure of sensitive information (account password, etc.). ). As long as you develop a good habit of surfing the Internet and don't easily click on the links sent by strangers, you will basically not be affected by loopholes. At the same time, the patches and mitigation measures released by the browser for vulnerabilities are simple and effective, and will not cause performance degradation or compatibility problems. Users can choose to upgrade their browsers to the latest version, thus avoiding vulnerability attacks.
Q: Is it true that "patching will cause CPU performance loss of 30%"?
The hotfix itself does have many problems.
According to Tencent security experts, taking Windows 10 as an example, Microsoft urgently released the system security update of 1 in the early morning of October 4th, Beijing time, but the patch has obvious performance and compatibility problems: on the one hand, the update may reduce the performance of the affected system by 30%. On the other hand, the update may lead to some software (security software, etc. ) is incompatible, resulting in a blue screen of the system.
However, according to the actual test of Tencent security team, performance problems have little impact on ordinary users: obvious performance problems will only occur under extreme tests; However, it generally does not appear during normal use.
360 Zheng also said that this statement is one-sided, and 30% of the performance loss occurs under extremely special test conditions. The performance loss of these patches is almost negligible for ordinary users, especially when their computer hardware is relatively new (such as most Macs and notebooks on sale and 32-bit X86 operating system). Next, vendors including Microsoft and Intel will further launch targeted patches to further reduce the performance loss of patches.
However, the Tencent security team reminded that the compatibility problem is indeed serious: on computers with security software and some games, it is more likely to have a blue screen when installing patches. This has also led many security vendors to adopt a more conservative strategy, not actively pushing Microsoft patches for the time being, so as not to cause users' computers to fail to work normally.