Data Loss Prevention (DLP) , Endpoint Security , Governance & Risk Management
Meltdown and Spectre: Patches and Workarounds Appear
Makers of Operating Systems, Devices and Cloud Services Rush FixesMicroprocessor makers, operating system and software developers and smartphone and other device manufacturers are rushing to prep, test and ship fixes for serious CPU flaws.
See Also: Real-World Strategies for Securing Remote Workforces and Data
The vulnerabilities, known as Spectre and Meltdown, exist in some modern processors built by Intel, AMD and ARM, and could be exploited to steal data from systems, including encryption keys and passwords. While some security experts say the real-world risk from attacks is low, they recommend individuals and organizations patch as quickly as possible (see Serious Meltdown and Spectre Flaws Make CPUs Exploitable).
Intel has confirmed that a number of its processors are vulnerable to Meltdown and Spectre and that it has "begun providing software and firmware updates to mitigate these exploits."
Chip manufacturer ARM says most of its processors are not affected, as does AMD. "Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time," AMD says in a statement.
Operating System Updates
The Linux kernel has been patched to block Meltdown; a fix for Spectre has not yet been released. Red Hat and SUSE have begun releasing patches as well.
Security researcher Alex Ionescu says Apple included fixes for Spectre/Meltdown in 10.13.2, released Dec. 21, and notes that the forthcoming 10.13.3 update includes "surprises."
Google says Android is vulnerable, but that exploiting the flaw would be "difficult and limited" on most devices. Google says it released patches to business partners last month and that Google-supported devices will receive a patch as part of this month's Android security update.
For browsers, the Mozilla Firefox and Google Chromium teams have released workarounds, because attackers could use their browsers to target vulnerable systems, for example via sites hosting malicious JavaScript. "Our internal experiments confirm that it is possible to use similar techniques" - to Meltdown and Spectre - "from Web content to read private information between different origins," Mozilla software engineer Luke Wagner writes in a blog post.
Google says Chrome can be set to use an optional "site isolation" feature, which should block attacks. "Chrome 64, due to be released on January 23, will contain mitigations to protect against exploitation," it says.
On Jan. 9, Microsoft will release updates for all supported operating systems - Windows 7 to 10, and Windows Server 2008 to 2016 - that help block the flaw from being exploited.
Anti-Virus on Windows: Updates Required
But the Windows updates are not compatible with many types of anti-virus software, which must be updated to work with a new registry key, says Kevin Beaumont, a security architect based in Liverpool, England.
Okay there is another VERY IMPORTANT THING with Microsoft Meltdown patches - "Customers will not receive these security updates and will not be protected from security vulnerabilities unless their anti-virus software vendor sets the following registry key" https://t.co/KyEbqcKrXl
— Kevin Beaumont (@GossiTheDog) January 4, 2018
Anti-virus vendors have already begun releasing updates. Kaspersky Lab, for example, issued patches for its products on Dec. 29, apparently after getting an early heads-up via the Microsoft Active Protections Program for security software providers.
But many anti-virus firms are still racing to get updates in customers' hands. "All AVs got screwed over by the accelerated timeline," says Fabian Wosar, CTO and head of the malware research lab at anti-virus software vendor Emsisoft, which makes Emsisoft Anti-Malware as well as makes the scanning engine used by Bitdefender (see Surveying 17 Anti-Virus Firms on Their Security Practices). "We got informed about the registry key on the 2nd. Even a simple change like that takes time to go through QA and the original schedule was to have it ready by Tuesday," he says via Twitter. "We will likely release a patch today."
We have known of the issue for a lot longer. But we got informed about the registry key we need to set to signal compatibility on Monday. That's why even AVs that are compatible like EAM don't have it set yet.
— Fabian Wosar (@fwosar) January 4, 2018
Cloud Concerns
On the cloud and virtual machine front, VMware on Wednesday released patches for all affected products.
It warns that it does not yet have a patch for ESXi 5.5 that block the variant one - CVE-2017-5753 - attack.
The open source Xen hypervisor project says that "systems running all versions of Xen are affected" and that systems running Intel and AMD chips are vulnerable to SP1 and SP2, while SP3 can in some cases be mitigated via settings. "We believe that ARM is affected, but unfortunately due to the accelerated schedule, we haven't been able to get concrete input from ARM," according to Xen's security alert.
"There is no available resolution for SP1 or SP3," Xen says. "We are working on patches which mitigate SP2 but these are not currently available."
Cloud service providers such as Amazon and Microsoft say they have already updated their servers to protect users. Hosting providers are also putting fixes in place. French hosting giant OVH, for example, says it plans to install patched kernels and reboot all hosted systems on Saturday, timed to minimize disruption to customers.
Clearly those using virtual machines are particularly worried as they use shared memory platforms to provide their services," says Alan Woodward, a computer science professor at the University of Surrey. "But again we know likes of AWS and Azure have fixes so it might be a disruption as they reboot but it shouldn't be that big a deal - you'd hope cloud providers would have plans for when the 'tin' has to be switched off and on again."
But the attacks are a reminder that cloud services that run multiple instances on a single server may pose an increased risk.
"Cloud-based services, or indeed any systems that share physical platforms via virtualization, are getting a bit if a reputation for memory leakage issues, so this is really just another bug bump in the road for them," Woodward says. "But it is an issue people might like to consider before putting their super-secure application on one of these cloud platforms."
Patch Concerns
As patches continue to get released, however, how many users and organizations will install them? "With nearly all modern processors being impacted, one has to ask the question - will every computer, TV, DVD player and Internet of Things device receive the same attention and reach the same patching potential?" asks Chris Pierson, CEO of risk advisory firm Binary Sun Cyber.
"Will nearly every company or household have a major means of ingress for the next decade? Given the length of time technology hardware lasts, it is likely we will see unpatched devices for years."