What Meltdown and Spectre Mean for Our Users
2018-01-10 Rüdiger Kügler
The recent news about security vulnerabilities in common microprocessors and, by implication, popular operating systems and applications have left many users rightly concerned about their IT security.
What we can say at this point in time is that there are three new vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754), which have become known under the monikers “Meltdown” and “Spectre”.
The possible attacks exploit common performance boosting technology, such as the speculative execution of instructions, combined with side channel attacks to access data in volatile memory. As far as we can tell, this can be done in user mode, making it possible for external attackers to combine this with other common strategies (e.g. phishing). The exact details and proofs of concept were released simultaneously by Google’s Project Zero.
The vulnerabilities have, so far, only be demonstrated under “sanitized” laboratory conditions, and no real-life attacks are known. Despite this, the potential implications seem disastrous: Memory could be accessed at will by processes without the privileges to do so. This could be particularly catastrophic in cases where multiple users share the same hardware (multi-tenancy).
The affected makers of microprocessors and software developers are aware of the issue and have begun to release first patches. There are suggestions that certain trends in chip design will have to be reconsidered in the medium term.
It is not yet known whether code can be manipulated by exploiting these vulnerabilities. We will continue to monitor and proactively evaluate the patches provided in response by the industry (using CVE databases). Where required, we will notify our clients about updates they should install.
To our current knowledge, the functions and capabilities of Wibu-Systems’ CodeMeter products are not affected by the threat and will continue to offer optimum protection for applications against manipulation and illicit use.
As the keys used for software protection never needs to leave the CmDongle, our CodeMeter products will not be affected by Meltdown and Spectre, even if a would-be attacker should manage to access the entire application memory. Our IxProtector technology also supports highly granular encryption, making data available in unencrypted form only when and where it is genuinely needed. This will reduce the potential effects of an attack using Meltdown or Spectre to a minimum. Combined with our Blurry Box technology, this gives us good reason to consider Wibu-Systems the unbeaten leader in the field of software protection and licensing.
VP Sales | Security Expert
After completing his physics degree course in 1995, he was head of project management for software protection, software distribution, internet banking, and multimedia projects. In 2003, he joined Wibu-Systems and, as part of his role, contributed substantially to the development of Blurry Box® technology.