Following the news that a fundamental design flaw in Intel’s processor chips, dating back to 1995 would allow an attacker to read protected memory, IT security experts commented below.
Ido Naor, Senior Security Researcher, GReAT at Kaspersky:
“Applications installed on a device generally run on ‘user mode’, away from the more sensitive parts of the operating system. If an app needs access to a sensitive area, for example the underlying disc, network or processing unit, it needs to ask permission to use ‘protected mode’. In Meltdown’s case, an attacker could access protected mode and the core memory without requiring permission, effectively removing the barrier – and enabling them to potentially steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.
“As they are hardware bugs, patching is a significant job. Patches against Meltdown have been issued for Linux, Windows and OS X, and work is underway to strengthen software against future exploitation of Spectre. Intel has a tool you can use to check if your system is vulnerable to the bugs and Google has published further information here. It is vital that users install any available patches without delay. It will take time for attackers to figure out how to exploit the vulnerabilities – providing a small but critical window for protection.”
Gavin Millard, Technical Director at Tenable:
“For home users, MacOS has already been updated to address the flaw with Apple’s recent 10.13.2 patch release. For Windows, there were also fixes made available last night. Almost everybody is affected by these bugs, in ways researchers are only just discovering. It is of the utmost importance that updates are applied in a timely manner.
“With a possible decrease in processing speed caused by addressing the flaws, organisations that rely on cloud platforms could be facing a significant financial impact from the increase in the number of workloads required to complete tasks.”
Mike Buckbee, Security Engineer at Varonis:
To counteract the threat, patches for all operating systems are in the works. These patches “scramble” how kernel memory is stored, making it impossible for applications to exploit the flaw.
While all the details are not available at this point, from what is known, this vulnerability can be considered a threat: it could allow for credential theft or other privilege escalation exploits. In this respect, while potentially dire, it’s very similar to an insider threat or admin data breach. Organisations need to layer multiple levels of protection to build defensive depth in their networks and applications.”
Joseph Carson, Chief Security Scientist at Thycotic:
With these cyber risks, it means that most companies will approach patching systems with extreme caution as many companies still prioritise business operations over security issues. The impact for many companies not having the systems operational is sometimes greater than the risk of a cyberattack but cyberattacks do not come cheap either as seen with cyberattacks like WannaCry and NotPetya in 2017 costing some companies up to 300 million USD. The systems at higher risk are those that are internet connected, meaning they are easily accessible by cybercriminals and those systems used by employees, who regularly use them for browsing the internet, so these systems should be the priority for any organisation that takes cybersecurity seriously.
Organisations concerned about the possibility of passwords and login keys being exposed, should consider using a password management solution. Even if a cybercriminal exploited this security flaw, the password or login key exposure would be short lived as an enterprise password management solution could continuously rotate passwords regularly to ensure any compromise would be short lived.”
Derek Weeks, VP and DevOps Advocate at Sonatype:
“GDPR-like ‘security by design’ has not been the default position to date and we must take steps to make it so. It is therefore imperative that organisations make targeted investments in people, process and technology, to ensure we truly are secure.
“Google is an excellent example of this, undertaking independent research is to find flaws in technology whether hardware or software. In parallel, Sonatype has continuously invested in research to discover vulnerabilities in millions of open source software components, which comprise 80-90% of a modern enterprise application. These investments make it possible to quickly disseminate actionable information to help control and remediate these issues while keeping innovation moving at DevOps-native speed.
Mike Simmonds, CEO at Axial Systems:
“If the software knows exactly where and what to look for, the data exported will remain unstructured and without context so a large amount of post-exfiltration processing will be undertaken to successfully exploit what has been extracted. The overall effect in the consumer world is likely to be small and there is no need to change appropriate security behaviour, protect your systems, don’t click on unsolicited email attachments and protect your systems with the relevant hardware, software and procedures.
“The overall effect of the solution that is being used in the repair patches and applied, will undoubtedly lead to an impact on performance but only on really process-intensive applications such as software compilation.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.