Sources:
Two vulnerabilities:
– Meltdown
o Description:
- Normally Intel x86 processors enforce memory separation between the Operating System (OS) kernel and user applications
- Meltdown allows malware to read arbitrary kernel memory, hence memory used by kernel and other applications
- Affects desktops, laptops, cloud servers, smartphones
o Risk:
- Large impact: malware can read sensitive data used by other applications, such as:
- Passwords
- Encryption keys
- Banking information (e.g. credit card details)
- Documents
- Probability of occurrence
- For end-users:
o Malware needs to be present on device of user
o Retrieval of useful data not straightforward, hence unlikely to be used to address large number of users
- For companies
o Can be used in targeted attacks against specific companies
o Scope:
- Intel
- x86 processors that implement out-of-order execution (almost all processors since 1995) might be impacted, except Atom and Itanium processor released before 2013.
- Meltdown is confirmed to apply to Intel processors released as from 2010.
- AMD: impact unclear
- ARM: only one processor impacted
- Android: patches available
- Apple: no public comments so far
- Linux: patches available (KPTI/KAISER patches)
- Microsoft has released patches for Windows, IE, Edge, SQL server on 3/1, also updating cloud and tablets
- Container solutions (e.g. Docker, LXC, OpenVZ): impacted
- Fully virtualized machines: not impacted (access to host kernel space is not possible)
o Solution:
- Users should be cautious when installing software from suspicious or unknown sources
- Users should apply software patches at OS kernel level
- Patches might cause performance degradation, but regular computer users will probably not notice
o Independently discovered by three teams:
- Google Project Zero
- Cyberus Technology
- Graz University of Technology in Austria
– Spectre
o Description:
- Breaks memory isolation between different applications
o Threats:
- Large impact: application can access RAM of other applications
o Scope: Intel, ARM, AMD processors
o Solution:
- Software patches exist for specific occurences
o Independently discovered by two teams:
- Google Project Zero
- Paul Kocher and other researchers
Frederik Mennes, Senior Manager Market & Security Strategy at VASCO:
“During the past days we have learnt that, for many years, a lot of our personal computing devices – desktops, laptops, tablets and smartphones – contain two security flaws, called Meltdown and Spectre. These vulnerabilities allow malware to read the computer’s memory, effectively giving access to sensitive user data, like passwords, cryptographic keys, banking information, and so on. Many servers hosting cloud services are equally vulnerable to these flaws. Users should patch the firmware and software of their devices as soon as possible, and should also be extra cautious when downloading software from unknown or suspicious sources.”
Luke Brown, EMEA Vice President at WinMagic:
“The Meltdown and Spectre flaws have sent a shockwave through the industry for vendors and customers alike. Whilst currently there is no evidence to suggest these exploits have been used to steal data, they underline once again that customers must ensure data covered by regulations such the incoming EU GDPR, or that is sensitive to the company in any way, must be encrypted. It is the last line of defence for data when all other security measures fail, or new hardware and software flaws are discovered. This is another reminder that customers need to considered encryption as part of a managed security strategy across all on-premise servers, devices and cloud services if they are to meet the security challenges we all face today.”
Dr Richard Ford, Chief Scientist at Forcepoint:
“2018 has gotten off to a tough start with the news of the Meltdown and Spectre vulnerabilities. Both of these vulnerabilities relate to failures of isolation, and while they are about data leaking from one place to another rather than code execution, they spell trouble for pretty much all computer users, everywhere. The events of the last few days only underscore how vulnerable our critical data is to attackers. While these vulnerabilities are worrisome, these exploits are just two of the raft of threats we have to deal with each and every day. If you’re a security professional, trying to chase every single new threat is like trying to chase your own tail. We urge defenders to keep a careful eye on the overall threat environment yet increase their focus on who and what has access to the data that is most sensitive. This user- and data-centric approach to security has never been more important.”
Carl Wright, Chief Revenue Officer at AttackIQ:
“2018 is quickly off to a “negative” start for security defenders and we expect that these types of cyber threats will escalate throughout the year. Never more than today has there been a need for security organizations to continuously validate their security controls and posture in near real-time. Spectre and Meltdown are just the latest examples of vulnerabilities that allow attackers to gain privileged access with little effort. Organizations must assume attackers will gain an initial foothold into the network and subsequently, be prepared to exercise incident response and compensating controls. Attack simulation can provide significant visibility into an organization’s security posture and processes and how prepared they are to address attacks such as the these.”
Michael Lines, VP of Strategy, Risk and Compliance at Optiv:
“The Meltdown and Spectre security flaws are affecting billions of devices, but the fundamental challenges that organizations face remain the same as every other major vulnerability that has been announced. Fixing these security flaws is going to be a long-term issue to resolve because, one, patches are needed across a vast array of operating systems, and two, patches for Spectre are still to be developed and released.
These widespread vulnerabilities underscore the importance of having ongoing risk assessment processes in place, as well as well-oiled TVM processes – both as part of a robust information security program. Risk assessment should cover both awareness and management of the issue at the board and C-suite level. These flaws are going to bring a lot of ‘doom and gloom,’ but organizations’ ability to react in an efficient and predictable way is what is most critical. Don’t panic, prepare a rational plan based on patch availability and system sensitivity, execute your plan, and monitor progress.”
Christian Vezina, CISSP, CISA, CISM, CRISC, CIPP/US, CIPT, Chief Information Security Officer at VASCO Data Security:
“What I find interesting is that with the ever increasing amount of software code of out there, security researchers are still discovering 20+ years old vulnerabilities. Unfortunately the processor level vulnerabilities that have been published recently seem to indicate a trend: Everyone drop what you are doing and start patching your systems [again].”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.