A pair of flaws dubbed Meltdown and Spectre that take advantage of the speculative execution performance feature in modern CPUs make the memory of virtually all computers and devices accessible to hackers.
“The Meltdown [CVE-2017-5754] and Spectre [CVE-2017-5753 and CVE-2017-5715] exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device,” Apple said in a blog post. “Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown” and plans to address Spectre with an “update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques,” Apple said.
The Spectre “techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call,” the Apple blog noted. “Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser.”
A group of academics, who penned a whitepaper on Meltdown have also offered up a fix for affected PCs, called KAISER.
Nick Deshpande, vice president of product development at Zenedge, said, “The deployment of KAISER at the OS level must be prioritized to prevent the leakage of kernel memory, as the best short-term solution.” For Spectre, though, “users can mitigate attacks - for now - by implementing serialization instructions to halt speculative execution paths on which processors normally rely, he said. The threat to browsers shouldn't be ignored.
While the analysis of the CPU flaws has by and large been focused on operating systems, programs and processes, and how memory is allocated, the threat to web browsers as potential attack vectors shouldn't be ignored.
“Owing to multi-process architecture, it's possible to passively observe, record, and exfiltrate cached memory from sites and plugins within the same browsing session using JavaScript (JS) code,” Deshpande wrote. “This scenario likely requires one of two things: either a compromised or malicious site (or ad impression) accessed by a targeted user or users.”
The series of flaws, at first found in Intel chips and affecting Windows, iOS and Linux, have now been uncovered in ARM and AMD processors.
Initially it looked as though processors that used chips from Intel competitor AMD had escaped unscathed and as the company rode a bump up in its stock, it assured users that their devices were unaffected. But in guidance issued later in the week, AMD noted that its research team had “identified [the] three variants within the speculative execution research,” one of which, the Bounds Check Bypass, which would be resolved through “software/OS updates to be made available by systems vendors and manufactures” with “negligible performance impact expected” and another, Branch Target Injection, which, due to differences in the AMD architecture carries a “near zero risk of exploitation.” Differences in AMD architecture also the company's products have zero vulnerability to the third variant, Rogue Data Cache Load.
Most vendors have pushed out updates and more fixes are likely on the horizon. US-CERT issued guidance Thursday on the vulnerabilities, including a table with links to vendor advisories and patches.
That Linux creator Linus Torvalds, promising a Linux redesign to remediate the flaws, had harsh words for Intel, asking why the CPUs were developed without configuration options. “A *competent* engineer would fix this by making sure speculation doesn't happen across protection domains. Maybe even a L1 I$ that is keyed by CPL,” he wrote. “I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit they have issues instead of writing PR blurbs that say that everything works as designed.”
What that “means is that all these mitigation patches should be written with ‘not all CPUs are crap' in mind,” he said. “Or is Intel basically saying ‘we are committed to selling you s*** forever and ever, and never fixing anything?'”
Torvalds said he sees only two possibilities – “Intel never intends to fix anything OR these workarounds have a way to disable them. Which of the two is it?”
Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, said the flaws underscore that “like most organizations, chip manufacturers have long prioritized speed over security—and that has led to a tremendous amount of sensitive data placed at risk of unauthorized access via Meltdown and Spectre.”
Noting that “the vast majority of computing devices” will feel the impact of the flaws,” Kalember said “the sky is not falling” since “the typical consumer is still vastly more likely to be targeted by something like a phishing email than a targeted attack exploiting Meltdown or Spectre.”
Alan Liska, intelligence architect at threat intel company Recorded Future, Recorded Future, defended chipmakers, noting that “processor manufacturers like Intel, AMD and ARM do take security very seriously and while this vulnerability is not a good look the overall track record for these companies has been very good” more recently.
“There is an old saying when it comes to computer hardware: Fast, Cheap, Secure: Pick 2. Unfortunately, that is no longer the case,” he said, adding that,” said Liska. “The line between software and hardware operations has blurred over the last decade and just as software developers have had to take security more seriously, hardware developers need to follow suit.”
Harder hit will be the cloud. “Since the vulnerabilities break down some of the most fundamental barriers computers use to keep data safe…cloud providers need to act quickly to ensure that unauthorized access, which would be very difficult to detect, does not occur,” said Kalember.
Recorded Future's Liska said the flaws could cause serious problems on shared servers on cloud servers. “There is a lot of speculation that these will be the most prominent targets of this vulnerability,” he said, adding that Amazon and Microsoft are “conducting emergency patches on their entire cloud infrastructure” and Google has already deployed patches. The path to a fix might not be so obvious for smaller cloud providers. “These are the most obvious cloud targets, remember there are small to mid-sized hosting providers that managed hundreds of thousands of servers that won't have advanced access to patches and are reliant on their OS provider to get new patches out before they can protect their customers it could be weeks or months before these companies have full protecting in place,” said Liska.
Varun Badhwar, CEO and co-founder of RedLock, a cloud threat defense company.
Calling the potential impact of Meltdown “truly frightening,” Varun Badhwar, CEO and co-founder of RedLock, said the “flaw is a stark reminder that security of public cloud computing environments is a shared responsibility between the cloud service provider and the customer.”
In this case, he said, “Amazon, Microsoft, and Google are doing their part by immediately rolling out fixes on their cloud infrastructure. But it is equally as important for organizations to do their part and install the software patches for the various operating systems running within their cloud environment.”
But whether organizations are up to the task, remains to be seen, with security professionals pointing to poor cybersecurity hygiene. "What is deeply concerning to me is that this will only serve to amplify how broken the state of security disclosure and remediation is,” said Mike Kail, CTO, CYBRIC. “The leading vendors will issue patches relatively quickly, but then it will be up to Security Operations and even individuals (Consumers) to apply/install those patches. As we continue to see, there is a severe lack of security hygiene, and that is getting worse, not better.”
These vulnerabilities can have big implications. Many services can be exposed and affected. Hardware vendors will address the underlying design issue, though vulnerable systems will likely remain in operation for decades. In the meantime, software vendors are releasing patches to prevent attackers from exploiting these vulnerabilities. This will also impact system performance which may have a cumulative effect in data centers for anyone using cloud services and the internet.
Bryce Boland, Asia Pacific CTO at FireEye, said that large organizations are going to have “to make a risk management decision as to how quickly they update their systems, as this can be disruptive and costly.”
And Fred Kneip, CEO at CyberGRX, cautioned that enterprises shouldn't “overlook their third parties.” Other large attacks like WannaCry and Petya “were much worse because companies failed to apply available patches in a timely manner,” he said. “In addition to patching their own systems, it's just as important for enterprises to understand the patch management controls of all of their third parties – including vendors, partners, customers and divisions of their own companies – in order to thoroughly mitigate the risk of any future exploits of the Meltdown and Spectre vulnerabilities.”