Spectre and Meltdown flaws being exploited by more than 100 strains of malware

Security researchers are discovering a growing amount of malware that exploits the Spectre and Meltdown CPU flaws.

Spectre and Meltdown are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone—allowing hackers to read sensitive information, such as passwords, from memory.

Researchers have gathered more than 130 samples of malware that try to exploit Meltdown and Spectre, although most appear to be proof-of-concept code rather than being used in attacks.

Security firm Fortinet says all of the publicly available samples of malware it analyzed appeared to be test code, although it was unable to analyze some Spectre/Meltdown-exploiting malware, due to it not being released into the public domain.

Much of this new malware was identified by the AV-TEST Institute, which found 139 samples targeting Meltdown (CVE-2017-5754) and both variants of the Spectre vulnerability (CVE-2017-5753 and CVE-2017-5715). This malware was targeted at PCs running Windows, macOS and Linux-based operating systems, and also includes JavaScript malware designed to run in the Internet Explorer, Chrome and Firefox browsers.

Since the Meltdown and Spectre flaws were publicly revealed in January, major operating systems and browsers have received patches to reduce the risk from both vulnerabilities.

"I'm sure, the malware writers are still in the "research phase" for attacks, but I wouldn't wonder if we see the first targeted attacks, or even more widespread malware, in the near future," said Andreas Marx, CEO of AV-TEST.

"The most likely attack method regarding Spectre and Meltdown will be via web browsers and their integrated scripting engines. So I'd recommend to upgrade to the latest available versions as soon as possible," he said, adding that closing the browser and shutting down the PC when it's not in use would also reduce the risk.

SEE: Incident response policy (Tech Pro Research)

However, patching against variant 2 of the Spectre vulnerability has proven to be particularly difficult, due to it being related to a fundamental feature of modern CPUs, specifically their use of Branch Prediction and Speculative Execution to accelerate the rate at which they operate.

The upshot has been that Intel firmware updates to reduce the risk of a successful attack exploiting Spectre variant 2 have caused instability and unexpected reboots in systems, leading Intel to pull the fix.

Both Intel and AMD, the firms whose chips are found inside most PCs and servers, say they are working on mitigating the risk posed by Spectre vulnerabilities in future processors.

However, it remains to be seen whether AMD and Intel will be able to redesign their processors to nullify the risk from Spectre without having a significant impact on performance.

"One of the key challenges with addressing the Meltdown and Spectre vulnerabilities — besides the fact that the affected chips are already embedded in millions of devices running in home or production environments — is that developing a patch that resolves their exposed side-channel issues is extremely complicated," said researchers from Fortinet.

"Which is why, in addition to establishing an aggressive and proactive patch-and-replace protocol, it is essential that organizations have layers of security in place designed to detect malicious activity and malware, and to protect vulnerable systems."

Read more

• Intel: Don't install our Spectre fix, risk of unwanted reboots is too great (TechRepublic)
• Intel chips have critical design flaw, and fixing it will slow Linux, Mac, and Windows systems (TechRepublic)
• 26% of organizations haven't yet received Windows Meltdown and Spectre patches (TechRepublic)
• Meltdown-Spectre: More businesses warned off patching over stability issues (ZDNet)
• Intel halts some chip patches as the fixes cause problems (CNET)
• Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming (ZDNet)
• Spectre-Meltdown glitches: Intel warns that new PCs, servers also risk unexpected reboots (TechRepublic)
• This fake Spectre/Meltdown patch will infect your PC with malware (TechRepublic)
• Spectre and Meltdown: Insecurity at the heart of modern CPU design (ZDNet)
• How to protect yourself from Meltdown and Spectre CPU flaws (CNET)