2018 “Meltdown” already…
2018 “Meltdown” already…
Only 4 days into 2018 and the sense of foreboding has already started to resonate across IT security teams with the debut of two major security flaws: Meltdown and Spectre.
If the ominous names haven’t caused enough concern, perhaps it’s the panic caused by the media storm, vendor denials and ambiguity around remediating the vulnerabilities.
Take a breath and read on to find out everything you need to know.
So What’s All The Fuss About?
A hardware vulnerability has been found at the processor level of pretty much every device globally, that allows critical information (i.e. credentials, credit card information, encrypted communication) to be exposed.
Specifically, Meltdown and Spectre are the two techniques researchers have discovered that circumvent all protections around this data.
The Bad News…
According to Techspot, it seems that companies who use virtualized environments are the biggest targets for those looking to exploit the vulnerability. This includes environments such as Amazon EC2 and Google Compute Engine.
The Register claims that those who have applied the patches released yesterday and today have seen up to 30% performance degradation since applying. While those claims are still being verified, it highlights that early patches are a band-aid rather than a final solution.
In reality, the underlying vulnerability is caused by CPU architecture design choices. As these have been ingrained in most devices since the early 2000s, this problem goes beyond a security patch. Fully removing the vulnerability will require a fundamental re-design of the circuit board and will require input from all major vendors including Intel, AMD, Apple, Google and ARM. All eyes will be watching the development on that front!
The Good News…
At the time of writing, there are no known or active exploits of this vulnerability (though that could soon change given the media attention).
The exploit requires local access to the system in order to run, meaning that some level of compromise must already have occurred for the exploit to work. Normal cybersecurity precautions should protect the majority of estates against these exploits until their systems can be patched e.g. Mail Gateways, Anti-Virus, Network Security etc.
So What Should I Do?
Most major vendors, including Intel, VMware and Microsoft, have been quick to issue guidance, patches or statements on the vulnerabilities.
According to Microsoft, the short-term advice is to install the January 2018 Windows security update, update all firmware, and ensure your anti-virus is updated and working. At Options we continue to closely monitor the situation with our vendors and relevant parties so watch this space for further updates.
This vulnerability, along with many others, is fundamentally caused by the finance and technology industry’s demand for high performing machines. An unwanted result of this is that processors, compilers, drivers, and other integral components are evolving to meet this requirement, but simultaneously introducing critical security risks.
As the costs of security vulnerabilities rise, and the financial reward for exploitations increase, hardware and software vendors need to seriously re-think their prioritisation of security.
— John Gracey, VP Cybersecurity