When cyber vulnerabilities are found, we shouldn't think of it as a failure - more as an inevitability. In the open, standards-based computing and network environments we rely on, across hardware and in software, millions of instructions and rules interact in ways that can't always be predicted. Amid this complex fabric, unavoidably there are dropped stitches, just waiting to be discovered or picked at.
But just as threats - and their exploitation - are commonplace, so are their fixes. There's a worldwide community dedicated to finding and reporting security issues, and a related one intent on defeating the malware that might exploit them. By now we're all familiar with the typical cycle: a vulnerability is announced, a patch is rolled out. Malware appears, protections are updated. Weaknesses are fixed, the world moves on. So what's so different about Spectre?
In a word, hardware. Most cyber threats exploit vulnerabilities in software which, once identified, are easily removed. But where the problem is in the underlying hardware, rolling out a fix an be more challenging. Often it's possible to mitigate through a firmware update, but the Spectre and Meltdown vulnerabilities are inherent in the design of almost every processor made in the last couple of decades. While Meltdown can be effectively fixed, it's thought that we can only mitigate against the effects of Spectre until processor microarchitecture can be overhauled.
Raising the Spectre
Spectre and Meltdown comprise three potential security issues, all of which work the same way. Modern processors try to 'guess' which path they'll follow through code, and preemptively execute the relevant instructions to speed things up. With all three vulnerabilities, the potential is that malicious code could use this feature to snoop on areas of the system memory that should be off limits, potentially revealing vital secrets like passwords or encryption keys.
Which brings us to the first problem: these vulnerabilities are like no other in terms of their scale: literally billions of devices are affected. In many cases the vulnerable processors are embedded - they couldn't be swapped out even if replacements were available.
That's the second problem: not only are there no replacement processors now, there won't be until manufacturers have a chance to redesign future generations of chips. Legacy processors? We're probably just stuck with them.
The third problem is that the community's only hope in the meantime is trying to modify the way that software works at a suitably low level that the vulnerabilities aren't exposed. That's a big job with its own risks - Intel's first efforts to patch one of the Spectre vulnerabilities was unstable and had to be withdrawn. And of course, because the vulnerable feature enhances performance, switching it off has a big impact - some workloads are said to run up to 30% slower without it.
So what's the plan?
Before we get too gloomy, it pays to remember two things:
- No in-the-wild malware is known to have successfully exploited either vulnerability, although researchers have identified more than 130 samples that try to.
- For an attacker to successfully exploit either vulnerability they need to execute code on the target system: in theory that gives security software the opportunity to detect and block the exploit.
Across the industry, vendors are largely agreed about the prudent approach for end users. Writing on the AlienVault blog, Sacha Dawes lays out a typically sensible three-point approach:
- Identify systems which are vulnerable, checking with vendors on how to detect, confirm and patch vulnerabilities across your estate.
- Evaluate and fully test patches. Check for side effects and weigh their impact against your business needs. Apply patches whenever possible.
- Implement the same protections as you would for any malware or ransomware, following best practice for malware attacks
An industry in chaos?
Talk of an industry in chaos might be over-egging it a bit, but Meltdown and Spectre are serious issues - and we're going to be living with them for a while. Already there's been finger pointing at the chip giants, first for baking the vulnerability into their chips, then for less-than-ideal patches to deal with them. On discovering that Intel wanted to make operating systems opt-in to the interim protections coming to future processors, Linux creator Linus Torvalds was incandescent.
While the hardware and software communities argue about the details, the cyber security community will need to remain vigilant, particularly for malware that seeks to exploit vulnerabilities on un-patched systems. For all of us, it's yet more reason to prioritise security across all aspects of the enterprise, and to build best practice, multi-layer controls and protection into everything we do.
Advice from Ideal partners
Please follow these links to see the current advice on the Spectre and Meltdown vulnerabilities as they relate to key Ideal partners Cisco and Palo Alto Networks. If you have any remaining questions about your infrastructure or services, please don't hesitate to contact us.
Image: Tomohiro Sibuya/Flickr, public domain