As widely reported in global media, security researchers have discovered fundamental design flaws in microprocessors (computer chips) from numerous manufacturers. As a result of these flaws, malware could theoretically read passwords and private keys, endangering the security of a system and its users. So far, however, there have been no reported cases in which this design flaw has successfully been exploited. Deutsche Telekom's own server systems are walled off, rendering the vulnerability irrelevant here.
The design flaw affects a feature in modern microprocessors called "speculative execution", which was implemented many years ago to increase processing speed. The feature entails using idle processor resources to calculate expected subsequent actions. Based on this vulnerability, security researchers have successfully tested two different, highly complex attack vectors, which they have named "Spectre" and "Meltdown". These attacks affect primary systems – such as PCs, cloud environments, and smartphones/tablet PCs – that allow the execution of external applications (programs, applications, apps, websites, and so on). For such an attack to be successful, the malware must be executed locally.
Not all of the potential attacks can be defeated through software updates to the operating system and hypervisor. Additional workarounds in applications will be needed to rule out all of the theoretically possible attack vectors. All the same, patches can close the most critical vulnerabilities.
Some vendors have already released patches or announced their pending release. We have begun installing the available patches and will continue to install additional updates as soon as they become available.
In detail:
The German Press Agency has compiled the following summary of what consumers can do right now and which vendors have already released patches:
- Windows: Microsoft has already published a first update for Windows 10. Updates for Windows 8 and Windows 7 will also be provided. Users who have not configured their computers to install updates automatically should check their "Windows Update" repeatedly in the coming days, to see whether a patch has been released. Microsoft generally suggests installing the latest security updates immediately, and for these vulnerabilities in particular, checking for updates from the device manufacturers (firmware updates).
- macOS: Mac users should also install updates immediately, as soon as they become available in the Mac App Store. As "heise security" reports, the latest macOS update already corrects part of the problem. An update to macOS 10.13.3 will provide additional protection.
Deutsche Telekom is already in contact with all manufacturers from its smartphone portfolio, to supply the security patches released by Google to all consumers as quickly as possible for the relevant network operator variants. The Android security patch levels from January 5, 2018 and later eliminate this vulnerability (Spectre and Meltdown). In addition, Deutsche Telekom recommends that users check regularly as to whether software updates are available for their smartphones and if so, install them. The software update iOS 11.2.2 has eliminated the vulnerability for Apple devices.
Deutsche Telekom's routers are not affected in practice by the Spectre and Meltdown attacks. Firstly, most models use microprocessors that, according to current information, are not exposed to this vulnerability. Secondly, exploiting a vulnerable processor requires the execution of malware on the device itself, and our routers do not permit the execution of source code from dubious sources. Therefore, attacks are not possible through simple means.
Nonetheless, we are working with our suppliers to review and determine whether processors in our routers are affected by this vulnerability and, if so, will release updates for affected devices.
In the Open Telekom Cloud, we are currently installing the available patches for the microcode of Intel processors and workarounds in the hypervisors and operating systems, to ensure that the complete ringfencing of processes, containers, and virtual machines can be maintained. These changes will result in a slight decrease in system performance, however. This drop in performance is unavoidable until the processor manufacturers provide hardware that is fundamentally free of the design flaws. For a detailed analysis and the current status of the Open Telekom Cloud, see https://imagefactory.otc.t-systems.com/Blog-Review/SpecExLeak.
