Following recent news that Microsoft and Google have jointly disclosed what’s being called Speculative Store Bypass (variant 4), which can allow an attacker to read older memory values in a CPU’s stack or other memory locations, IT security experts commented below.
Joseph Carson, Chief Security Scientist at Thycotic:
It is a bit like a car manufacturer telling you to “remember that car we sold you? Well the locks don’t really work so to keep it from being stolen you can no longer drive it at 70mph but now it is limited to 50mph. Sorry you can’t have fast performance and security at the same time so you must choose only one”
Spectre/Meltdown will absolutely impact performance of systems especially critical systems that are already running at near or full resource capacity. Organisations must again decide what is the greater risk, system downtime and business performance impact or the risk of a cyberattack that exposes sensitive data or full access to the corporate network. The crucial decision is to patch or not to patch and that is indeed the question.”
Setu Kulkarni at WhiteHat Security:
Moreover, while the vulnerability itself is classified as medium risk, the widespread nature of the impact should really concern security teams all over the world. Unlike application security vulnerabilities where the remediation/mitigation is increasingly ‘centralized’ with cloud based multi-tenant systems, the same cannot be said about chip vulnerabilities. It’s getting to be a zero-sum game, as info security teams are dealing with an increasing variety of security issues… the more they protect, the more there is to protect. There is a revolution waiting to happen in the way security teams will respond to the increasing variety and volume of security challenges – and it’s going to be based in automation, data science and shifting from ‘what we need to protect’ to ‘who we need to protect.’”
Rob Tate, Distinguished Security Researcher at WhiteHat Security:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.