Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

1/8/2019
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Spectre, Meltdown Vulnerabilities Will Haunt Industry for Years

Chip makers such as Intel have released patches and fixes to mitigate Spectre and Meltdown issues, but the problem won't be solved until they come out with new architectures, which is two to three years away.

A year ago, the public first heard about Spectre and Meltdown, channel-side vulnerabilities in most of the processors used in servers and PCs for almost two decades. The disclosure of the vulnerabilities, first detected by Google's Project Zero team in mid-2017, and officially disclosed in early 2018, sent shockwaves through the industry.

The effects will continue to be felt over the next few years as chip makers from Intel and AMD to ARM and IBM rearchitect their processors to harden the technology that led to the vulnerabilities, a process that will take another three or so years, according to Paul Teich, principal analyst at Liftr Cloud Insights.

After that comes the arduous task of refreshing PCs and data center servers throughout the world with systems powered by the new processors, which could take a decade or more.

"We're going to be living with Spectre and Meltdown for a long time," Teich told Security Now.

The vulnerabilities arise out of the speculative execution that is used to ramp up the performance of the processors. Through Spectre, the isolation between applications that is managed through the CPU memory can be broken, while Meltdown splits the isolation between applications and the operating system. Chip makers scrambled to put in fixes through microcode and software changed to mitigate some of the risk from Spectre and Meltdown, but more permanent solutions are years down the road. In addition, variants of the vulnerabilities have continued to spring up, complicating the already complex task of addressing the problems. (See New Spectre & Meltdown Attacks Show Limits of CPU Vulnerabilities.)

Security concerns
Spectre and Meltdown also changed the discussion around security to a degree.

Until last year, much of the talk about vulnerabilities and exploits centered around software, through the issue of the security of Internet of Things (IoT) devices has been a growing issue. However, Spectre and Meltdown brought security concerns into the core of enterprise hardware and raised the difficult question of finding a middle ground between performance and security. Intel and others have tried to lessen the impact on performance through such steps as adding more memory, but it's a challenge, Teich said.

"A worrying pattern that the Spectre and Meltdown vulnerabilities brought to light is how attackers piggyback on computing advancements and exploit the fact that there's often a lag between performance improvements and corresponding security improvements," Abhishek Iyer, technical marketing manager at cybersecurity vendor Demisto, told Security Now in an email. "The Intel SGX brought an innovation to market -- the Abort Page Semantics that allowed increased performance through speculative execution while thwarting Spectre and Meltdown attacks -- but the Foreshadow (L1TF) [variant] explicitly misused that innovation and resulted in the minor performance hit that comes with microcodes and patches. This balance between improving performance and maintaining security is something that organizations will continue to explore gingerly with attackers waiting in the sidelines."

It also put a focus on the need to address security throughout the development process to address possible vulnerabilities before the products are shipped, Charles King, principal analyst with Pund-IT, told Security Now.

"It's a new world that continues to evolve," King said. "It behooves people to keep that in mind. Don't think it's going to get any less complex or dangerous."

Assessing the response
The industry's initial response to Spectre and Meltdown was good, according to Liftr Cloud's Teich. Google researchers worked with hardware and software vendors to remediate as many of the problems as possible before going public with the vulnerabilities, and chip makers have continued to issue fixes and put in protections into their products.

Still, the various fixes frustrated C-level executives and IT professionals, according to Jon King, cybersecurity consulting manager at investment firm Moss Adams. For executives, the impact on performance and cost may have convinced some to "ride out the storm [rather] than fully understand the risk," King told Security Now in an email. (See Intel's 9th Gen Processors Offer Protections Against Spectre & Meltdown .)

The continual release of inconsistent patches also impacted IT, as King noted, these updates:

Desensitizing them to the potential impact of side channel disclosure due to the frustration of reapplying patches and registry edits across the enterprise. Going forward, we should expect and even encourage vendors to address classes of vulnerabilities affecting broad swaths of the industry in a thorough, effective manner. The emphasis should be on addressing the risk, not simply patching the vulnerability.

Teich added that the next iteration of processors from Intel and AMD will bring greater protections against the vulnerabilities -- he called them "half steps" -- but it will be the processor rollouts after that -- in mid- to late-2020 -- that will include new core architectures that will protect the various points in the speculative execution pipeline. Then comes the long process of enterprises refreshing their data centers with new systems that include the new chips.

The good news is that, so far, there doesn't seem to have been any attacks in the wild exploiting the Spectre or Meltdown vulnerabilities.

Part of that may be how difficult such an attack would be, Teich said, calling the vulnerabilities "low-risk, high-impact." Such an attack would involve the transferring of huge amounts of data from the system over the network, something that modern security solutions would most likely be able to detect.

In addition, most threat actors know the data they're looking to extract. Exploiting Spectre or Meltdown would mean stealing massive amounts of data that an attacker may not know what do with. "The whole point of [an attack] is to send data home," Teich said, adding that attackers tend to run "pinpoint surgical operations."

Chris Morales, head of security analytics for cybersecurity vendor Vectra, agreed.

"The reality is, while these are scary attacks conceptual, the ability to execute an attack utilizing these flaws is still hard," Morales told Security Now in an email. "The data rate for extraction of data from system memory is very low, meaning stealing anything more than a simple password could take days or much longer."

For now, the industry will have to push on with Spectre and Meltdown always looming, at least for the next several years.

"The problem isn't going to go away until Intel and other companies with technology susceptible to Spectre and Meltdown change the [chip] architecture," Pund-IT's King said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.