ANALYSIS: For some users protecting your systems against Spectre and Meltdown will be straightforward, but for others more complicated
The first thing you have to know in regards to the two processor vulnerabilities affecting Intel and other makers is that there are currently no exploits out there in the malware world right now. This means that if you can’t find a fix for the Spectre or Meltdown vulnerabilities for your organization’s computers, you don’t have to panic—yet.
But that doesn’t mean you shouldn’t start working on a permanent solution to the problem, because it’s very real, and eventually it’s likely that someone, somewhere, will find a way to use the vulnerabilities to hack into something.
Both of the vulnerabilities are present in Intel chips and have been since 1995. However, it would be wrong to consider either a bug or a design flaw, because they used the features behind the vulnerabilities to enhance performance.
How to protect against Meltdown & Spectre
Meltdown is based on support for memory sharing between the kernel and an application. Spectre is based in speculative execution, a technique in which the processor assumes what the next CPU instruction will be and begins executing it.
Researchers at Google Zero found that some extremely subtle timing differences in how a processor was executing instructions could provide insight into memory. Likewise, kernel memory sharing allowed some leakage of memory contents. Both of these could potentially be used by malware creators to gather protected information.
There are three potential pathways for malware to gain system access . The most serious are through a browser and through the computer’s operating system. Closing off those pathways requires OS vendors and the browser developers to make changes to protect against these attacks.
Browser developers are already starting to send out updates. Firefox has already been updated; Microsoft has sent out updates for its Edge and Internet Explorer browsers. Google has said it will update the Chrome browser soon.
The other pathway is through the processor itself. This requires microcode updates by reflashing the processor or by reflashing the computer’s BIOS as a way to bypass the problem. But when it comes to updating your hardware, you may find yourself in Update Hell.
This is because you have to depend on the maker of the computer to provide the firmware updates required and whether you can get an update easily—or at all—depends on what company made your computer or server.
I investigated updates to computers and servers from three vendors, Dell, Hewlett Packard and Lenovo. Where possible, I attempted to perform the necessary updates by downloading and flashing the relevant firmware or the BIOS.
Lenovo made it easy. The company provides an update engine that’s included with its products—even old ones—that will find and download the files needed for the update. Then it will ask you when it’s OK to install them. The process is automated and fast.
I don’t have an operational Dell machine in my office right now, but a search revealed Dell’s support pages for its client PCs and servers. This allows product users to search for your specific computer models. Next you will be referring to a link where you can download the updated firmware. While I didn’t try the updates for Dell’s full line of servers, it didn’t seem to be restrictions on what you can download.
The situation is different with HP. First, the company has divided itself into two parts, HP and HPE (Hewlett Packard Enterprise). Servers and other enterprise hardware are handled by HPE while consumer and business computers such as laptops, desktops and workstations are handled by HP.
Getting firmware updates from HP is fairly easy, but the company does not appear to have released any updates for these vulnerabilities. Some of the firmware downloads available on HP’s business computer site haven’t been updated for years.
At HPE the firmware updates may be available, but unless you have a machine that’s under warranty or you have been paying HPE for a maintenance contract, you’re out of luck. The way you tell this is when you go to the download page for HPE servers, you’ll see the words “entitlement required” which means that if you can’t prove you’ve been paying for support, you don’t get the update.
What makes things worse is even though HPE indicates that you may be able to pay a license fee for the update, there’s no apparent means of doing so and customer service personnel aren’t able to help. So if you have equipment from HPE, you’re on your own with one less than convenient recourse, which is to find another server vendor.
You should note that not every computer with every processor is going to receive updates immediately. While Intel has released updates to the manufacturers, it’s up to them to turn that into a readily-accessible package you can use to flash your firmware and microcode. You can expect newer hardware to be available first. You need to keep checking and hope you get lucky.
Originally published on eWeek