Following recent news that Microsoft and Google have jointly disclosed what’s being called Speculative Store Bypass (variant 4), which can allow an attacker to read older memory values in a CPU’s stack or other memory locations, IT security experts commented below.
Joseph Carson, Chief Security Scientist at Thycotic:
“No surprises here, once a major vulnerability is found the world’s cybersecurity researchers will zoom in to find other possible variations and as expected we are starting to learn about more Meltdown and Spectre chip-level security flaws. This particular variant exploits the speculative Store Bypass attack commonly used in “Language-based runtime environments” used in web browsers for example JavaScript. Currently there is no permanent solution for these flaws (a nice way to avoid saying major security vulnerability) and everything we have seen so far is turn it off and accept reduced performance.
It is a bit like a car manufacturer telling you to “remember that car we sold you? Well the locks don’t really work so to keep it from being stolen you can no longer drive it at 70mph but now it is limited to 50mph. Sorry you can’t have fast performance and security at the same time so you must choose only one”
Spectre/Meltdown will absolutely impact performance of systems especially critical systems that are already running at near or full resource capacity. Organisations must again decide what is the greater risk, system downtime and business performance impact or the risk of a cyberattack that exposes sensitive data or full access to the corporate network. The crucial decision is to patch or not to patch and that is indeed the question.”
Setu Kulkarni at WhiteHat Security:
“With the proliferation of devices and given the sheer effort required to update the 100s of millions of devices – whether they are personal devices or time-shared cloud systems, the impact of these variants is massive.
Moreover, while the vulnerability itself is classified as medium risk, the widespread nature of the impact should really concern security teams all over the world. Unlike application security vulnerabilities where the remediation/mitigation is increasingly ‘centralized’ with cloud based multi-tenant systems, the same cannot be said about chip vulnerabilities. It’s getting to be a zero-sum game, as info security teams are dealing with an increasing variety of security issues… the more they protect, the more there is to protect. There is a revolution waiting to happen in the way security teams will respond to the increasing variety and volume of security challenges – and it’s going to be based in automation, data science and shifting from ‘what we need to protect’ to ‘who we need to protect.’”
Rob Tate, Distinguished Security Researcher at WhiteHat Security:
“Once they can get code to run locally on a victim’s computer, high-skill hackers have many tools at their disposal to expand their control and take over the machine. What made Meltdown/Spectre special was its universal nature in both working on many machines and being useful in many different scenarios on a given machine. The more commonly useful a vulnerability, the more it helps attackers simplify their process and, perhaps more critically, the easier it becomes for non-skilled hackers to compromise more computers. Variant 4 is mostly being discussed in a fairly narrow scope: accessing specific unpatched browser’s private data. If an attacker has access to run code on a machine, there are already a number of simpler (and more universal) techniques to try before resorting to this, and it’s far from the wide-reaching implications of the original Spectre. So while patches should be applied when possible, Intel is right to call this a Medium.”
