Meltdown & Spectre security flaws - the industry responds

null

The technology world was rocked by the unveiling of major security flaws that could put millions of users at risk of having their data stolen.

The Meltdown and Spectre vulnerabilities, discovered by researchers in Google's Project Zero security team, affect processor hardware made by Intel, AMD and ARM, meaning that potentially every computer, cloud server and smartphone could be hit.

Such a wide-scale attack has not been seen for some time, so ITProPortal asked the technology industry for its views on the issue.

Steve Grobman, CTO at McAfee

"Today’s disclosure of the ‘Meltdown’ and ‘Spectre’ attack methods show that we need to think about how advanced threat techniques have the ability to scale across all of the computing platforms we rely on and can impact both corporate and consumer domains at the same time.  

This disclosure reveals that the scope of implications extends beyond just PCs to Servers, Cloud, Mobile and IoT platforms, and beyond one vendor’s CPU platform to those of multiple vendors. These methods attack the foundational modern computer building block capability that enforces protection of the OS from applications, and applications from one another. Businesses and consumers should update operating systems and apply patches as soon as they become available."

Mike Buckbee, security engineer at Varonis

“This vulnerability makes it theoretically possible to open up the end user’s device and rummage through the computer’s memory. For example, a JavaScript application running in a browser on a website could potentially access your computer’s kernel memory and rip through any information held there. While it’s unlikely there would be full files stored there, it’s very possible it would find bits and pieces of valuable data, like SSH keys, security tokens and even passwords.  

To counteract the threat, patches for all operating systems are in the works. These patches “scramble” how kernel memory is stored, making it impossible for applications to exploit the flaw.

While all the details are not available at this point, from what is known, this vulnerability can be considered a threat: it could allow for credential theft or other privilege escalation exploits. In this respect, while potentially dire, it’s very similar to an insider threat or admin data breach. Organisations need to layer multiple levels of protection to build defensive depth in their networks and applications.”

Craig Young, security researcher at Tripwire 

"The Meltdown and Spectre vulnerabilities leverage side channel information leakage to effectively undermine some of the most fundamental security constraints employed by modern computers.  In each case, an attacker can run code on an affected processor which leaks information stored in the computer’s memory.  This includes things like passwords and cryptographic keys as well as information needed to more effectively exploit other vulnerabilities.

Meltdown is arguably the more serious of the two vulnerabilities and requires considerable operating system changes to mitigate.  A countermeasure against another side channel attack was published over the summer and titled KAISER.  In response to the newly discovered side channel, all major OS makers are now incorporating KAISER based countermeasures including KPTI in Linux.

Meltdown could have devastating consequence for cloud providers as Google researchers were able to demonstrate reading of host memory from a KVM guest OS. For a cloud service provider, this could enable attacks between customers."

Ido Naor, senior security researcher, GReAT at Kaspersky Lab

“Two severe vulnerabilities have been discovered in Intel chips, both of which could enable attackers to seize sensitive information from apps by accessing the core memory. The first vulnerability, Meltdown can effectively remove the barrier between user applications and the sensitive parts of the operating system.  The second vulnerability, Spectre, also found in AMD and ARM chips can trick vulnerable applications into leaking their memory contents.

“Applications installed on a device generally run on ‘user mode’, away from the more sensitive parts of the operating system.  If an app needs access to a sensitive area, for example the underlying disc, network or processing unit, it needs to ask permission to use ‘protected mode’.  In Meltdown’s case, an attacker could access protected mode and the core memory without requiring permission, effectively removing the barrier – and enabling them to potentially steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.

“As they are hardware bugs, patching is a significant job. Patches against Meltdown have been issued for Linux, Windows and OS X, and work is underway to strengthen software against future exploitation of Spectre. Intel has a tool you can use to check if your system is vulnerable to the bugs and Google has published further information here.  It is vital that users install any available patches without delay. It will take time for attackers to figure out how to exploit the vulnerabilities – providing a small but critical window for protection.”

Bryce Boland, Asia Pacific chief technology officer at FireEye

"Vulnerabilities like this are extremely problematic because they permeate so much of the technology around us that we all rely upon. Resolving this issue will take time and incur costs. In many cases, this cost includes security risks, rectification effort and even computing performance.

These vulnerabilities can have big implications. Many services can be exposed and affected. Hardware vendors will address the underlying design issue, though vulnerable systems will likely remain in operation for decades. In the meantime, software vendors are releasing patches to prevent attackers from exploiting these vulnerabilities. This will also impact system performance which may have a cumulative effect in data centres for anyone using cloud services and the internet.

Large organisations will need to make a risk management decision as to how quickly they update their systems, as this can be disruptive and costly.

We are yet to understand the full impact of this development, and not all details are available. At this stage, exploitable code is not publicly available. Nation state hackers typically use these types of vulnerabilities to develop new attack tools, and that's likely in this case."