

Background
In January 2018, a group of computer chip makers and software publishers alerted the world to the Meltdown and Spectre vulnerabilities.
Meltdown affects computing devices regardless of the operating system. It exploits an optimization feature in many Intel chips known as “out-of-order execution.” The outcome is that malware on a computer powered by an affected chip can read the physical and kernel memory of the device. This memory can, for example, contain unencrypted passwords that were recently used.
You can read a detailed, technical explanation of Meltdown here:
https://meltdownattack.com/meltdown.pdf
Spectre also affects processors from Intel, as well as AMD and ARM. Spectre exploits a chip concept called “speculative execution.” In order to improve performance, many chips guess the next operation to be performed and run it before being specifically instructed to. Spectre encourages the chip to run an incorrect “guess” and then reads memory from a cache that is not affected when the correct instruction is eventually run.
You can read a detailed, technical explanation of Spectre here:
https://spectreattack.com/spectre.pdf
Recent Activity
Since the January announcement:
- Additional variants of both Meltdown and Spectre have been discovered.
- Vendors have since made various microcode (updates to processors behavior and performance), BIOS and software patches available and continue to do so.
- These updates have in some cases impacted computer performance to a noticeable degree.
- Malware creators have attempted to exploit the vulnerabilities.
- Some malware creators have decided that it is easier to exploit the concern around Meltdown and Spectre than the vulnerabilities themselves, and are circulating “patches” that actually distribute malware.
Meltdown, Spectre and IT Due Diligence
One of the most important things any organization can do to improve cybersecurity is to stay up to date with all relevant operating system and software patches. Many breaches and other cybersecurity incidents can occur only when known vulnerabilities are not patched.
When evaluating a company’s technology expertise during IT due diligence, a review of the process for monitoring and deploying patches is very enlightening. Many organizations are far too casual in their approach. This is not acceptable when it comes to Meltdown and Spectre.
Even though exploiting these chip vulnerabilities is difficult, the risk of exposing critically important information is too great to ignore. In all but the most exceptional cases, any performance penalty related to the patches should be an acceptable price to pay for the assurance of security.
During IT due diligence, ask the staff at the target company what they’ve done so far to mitigate Meltdown and Spectre. In the worst case scenario, they may not know what you’re talking about. If so, given the fact that this is one of the most well-publicized and potentially dangerous IT security risks ever, you should be concerned that other basic but less obvious security risks have not been addressed.
In a perfect world, the response you receive would be that the staff at the target company heard about the issue when it was announced, have been monitoring the latest developments with their relevant vendors and have implemented all patches that have been released. This should include chips, operating systems, and software such as browsers (which have been shown to be able to host a Spectre attack via JavaScript). Browsers may need certain configuration changes to provide protection.
Ideally, the target company would maintain written policies and procedures that describe the patching process. This should include how they are identified as necessary, how they are tested before being applied to production systems and how the current patch status of each device is tracked.
In addition, even though antivirus and antimalware software cannot detect Meltdown and Spectre attacks, they can protect against malware attempts to install software that can launch an attack. And it’s always a best practice to deploy up-to-date antimalware software.
If the target company is using cloud providers such as Amazon Web Services or Microsoft Azure, those vendors have announced that they have patched their systems against these vulnerabilities.
The best general source for Meltdown and Spectre information is https://meltdownattack.com/ which is maintained by Graz University in Austria, one of the discoverers of the two vulnerabilities. This site includes the latest updates, links to the original technical papers describing the exploits, a FAQ, and advisories from major vendors. This is a good resource to review during IT due diligence, once a target company’s major vendors have been identified.
Conclusion
Meltdown and Spectre are some of the most serious IT security risks ever identified. It will be many years before the processors that are impacted have been replaced by more secure versions. A target company’s reaction to Meltdown and Spectre provides a good opportunity to evaluate the overall technical proficiency on the organization during IT due diligence.