The Meltdown and Spectre mitigations have been going around security clusters causing headaches for everyone involved, and it’s been such a madhouse inside Intel that they had to publicly tell people to stop applying their patches and wait for new ones that didn’t cause random boot issues. While Intel’s processors are vulnerable to Meltdown, only patches and fixes for the last five year’s worth of chips will be made available, with possible patches and mitigations being investigated for older processor families further down the line. AMD is only vulnerable to Spectre, and already variant 1 of Spectre has been patched through Windows Update. It’s a good thing that we’re paying so much attention to this too, because malware variants of these attacks have been found circulating on the internet, and more are on the way.
Fortinet, an anti-virus maker and security research firm, announced this week that it had identified dozens of malware samples that took advantage of proof-of-concept (POC) code revealed by Google’s Project Zero team when the vulnerabilities were identified and named. The code shows how the attack works and what flaws it took advantage of to make the attack work, and the code could have been re-used by researchers or malware coders to perform the same task. The malware variants were collected by research teams at AV-Test.
Given that basically no Intel architecture is mitigated against Spectre variant 2, and almost all of Intel’s older chips are vulnerable to variant 1, this is not ideal. The risk of exposing vulnerabilities in public like this is that malware creators can get on to their projects quickly and try focus attacks on users who don’t update their hardware or software, and it was only a matter of time before Spectre and Meltdown had working malware samples out in the open.
It’s important to note that at this point any of these attacks should only do one of two things:
A) Running the POC exploit and report back on their success or failure, or
B) Run the exploit and try attack a well-known and well-used program’s memory space, like Google Chrome or Microsoft Word and report back on their success or failure
Meltdown and Spectre can grant malware creators access to private memory spaces, but unless they know what they’re looking for the results will be mostly white noise and mostly garbage. It’ll be an incoherent data dump that requires sifting through, especially if it is delivered through a worm, because then you’re just attacking everything in plain sight. The real threat is these attacks being used in managed infrastructure, like a virtual machine host. For the moment, regular consumers like you and me aren’t the targets.
Don’t panic yet, but make sure you know where your towel is in case either of these vulnerabilities are the spark needed for Skynet to take over.