Following the news that a fundamental design flaw in Intel’s processor chips, dating back to 1995 would allow an attacker to read protected memory, IT security experts commented below.
Ido Naor, Senior Security Researcher, GReAT at Kaspersky:
“Two severe vulnerabilities have been discovered in Intel chips, both of which could enable attackers to seize sensitive information from apps by accessing the core memory. The first vulnerability, Meltdown can effectively remove the barrier between user applications and the sensitive parts of the operating system. The second vulnerability, Spectre, also found in AMD and ARM chips can trick vulnerable applications into leaking their memory contents.
“Applications installed on a device generally run on ‘user mode’, away from the more sensitive parts of the operating system. If an app needs access to a sensitive area, for example the underlying disc, network or processing unit, it needs to ask permission to use ‘protected mode’. In Meltdown’s case, an attacker could access protected mode and the core memory without requiring permission, effectively removing the barrier – and enabling them to potentially steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.
“As they are hardware bugs, patching is a significant job. Patches against Meltdown have been issued for Linux, Windows and OS X, and work is underway to strengthen software against future exploitation of Spectre. Intel has a tool you can use to check if your system is vulnerable to the bugs and Google has published further information here. It is vital that users install any available patches without delay. It will take time for attackers to figure out how to exploit the vulnerabilities – providing a small but critical window for protection.”
Gavin Millard, Technical Director at Tenable:
“The latest vulnerabilities blessed with catchy names and logos are deserving of the hype that will surely build. Spectre and Meltdown are both incredibly concerning from a privacy perspective, affecting the average home user and enterprises alike. The long-standing blunder in chip design could enable an attacker to access confidential pieces of information being processed, for example grabbing a password as it’s typed, installing malware that could slurp up anything a user is working on, or browser data to enable to hoover up credit card details and logins.
“For home users, MacOS has already been updated to address the flaw with Apple’s recent 10.13.2 patch release. For Windows, there were also fixes made available last night. Almost everybody is affected by these bugs, in ways researchers are only just discovering. It is of the utmost importance that updates are applied in a timely manner.
“With a possible decrease in processing speed caused by addressing the flaws, organisations that rely on cloud platforms could be facing a significant financial impact from the increase in the number of workloads required to complete tasks.”
Mike Buckbee, Security Engineer at Varonis:
“This vulnerability makes it theoretically possible to open up the end user’s device and rummage through the computer’s memory. For example, a JavaScript application running in a browser on a website could potentially access your computer’s kernel memory and rip through any information held there. While it’s unlikely there would be full files stored there, it’s very possible it would find bits and pieces of valuable data, like SSH keys, security tokens and even passwords.
To counteract the threat, patches for all operating systems are in the works. These patches “scramble” how kernel memory is stored, making it impossible for applications to exploit the flaw.
While all the details are not available at this point, from what is known, this vulnerability can be considered a threat: it could allow for credential theft or other privilege escalation exploits. In this respect, while potentially dire, it’s very similar to an insider threat or admin data breach. Organisations need to layer multiple levels of protection to build defensive depth in their networks and applications.”
Joseph Carson, Chief Security Scientist at Thycotic:
“The latest Intel, ARM and AMD chip security flaw is a major issue for multiple reasons, the security risk has the potential for simple code running in a web browser. This could allow for a cybercriminal to access sensitive data in protected memory which could include passwords, login keys or sensitive data that is typically protected. The patch of such a flaw is a major challenge as a firmware update typically requires a reboot so for servers running critical systems, this results in unplanned downtime. With the fix having a potential performance impact of up to 30%, this means critical systems already running at full power could require costly upgrades to ensure operational stability.
With these cyber risks, it means that most companies will approach patching systems with extreme caution as many companies still prioritise business operations over security issues. The impact for many companies not having the systems operational is sometimes greater than the risk of a cyberattack but cyberattacks do not come cheap either as seen with cyberattacks like WannaCry and NotPetya in 2017 costing some companies up to 300 million USD. The systems at higher risk are those that are internet connected, meaning they are easily accessible by cybercriminals and those systems used by employees, who regularly use them for browsing the internet, so these systems should be the priority for any organisation that takes cybersecurity seriously.
Organisations concerned about the possibility of passwords and login keys being exposed, should consider using a password management solution. Even if a cybercriminal exploited this security flaw, the password or login key exposure would be short lived as an enterprise password management solution could continuously rotate passwords regularly to ensure any compromise would be short lived.”
Derek Weeks, VP and DevOps Advocate at Sonatype:
“Google’s discovery of a flaw in the architecture of Intel and other chipmakers’ products highlights the urgent need for security vigilance when designing technology. Time and time again, we see how failure to design in security from the beginning, whether into software, hardware, or firmware, puts our data, or health and our privacy at risk.
“GDPR-like ‘security by design’ has not been the default position to date and we must take steps to make it so. It is therefore imperative that organisations make targeted investments in people, process and technology, to ensure we truly are secure.
“Google is an excellent example of this, undertaking independent research is to find flaws in technology whether hardware or software. In parallel, Sonatype has continuously invested in research to discover vulnerabilities in millions of open source software components, which comprise 80-90% of a modern enterprise application. These investments make it possible to quickly disseminate actionable information to help control and remediate these issues while keeping innovation moving at DevOps-native speed.
Mike Simmonds, CEO at Axial Systems:
“Effectively, if a third party gains access to an Intel, ARM or AMD processor with a suitable crafted code that is allowed to execute, the code can be instructed to copy some of the Kernel RAM (core but temporary memory ) of the appliance and potentially export the same data.
“If the software knows exactly where and what to look for, the data exported will remain unstructured and without context so a large amount of post-exfiltration processing will be undertaken to successfully exploit what has been extracted. The overall effect in the consumer world is likely to be small and there is no need to change appropriate security behaviour, protect your systems, don’t click on unsolicited email attachments and protect your systems with the relevant hardware, software and procedures.
“The overall effect of the solution that is being used in the repair patches and applied, will undoubtedly lead to an impact on performance but only on really process-intensive applications such as software compilation.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.