It seems the internet is all abuzz with news of the latest cyber security flaws and how, literally, the sky is falling. That said, it's hard to really know where the truth lies. Don't get me wrong, this is serious. There are reports that every CPU on every device in use has a major security flaw with its microprocessor. The difference this time is that we're talking about a flaw embedded deep within the hardware and not just the software layer.
Pretty scary stuff indeed.
Computer researchers have found that the main chip in most modern computers - the CPU - has a hardware bug. It's really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on your network, including all of your workstations and all of your servers. This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other as well as from the operating system. Unfortunately, this hardware bug breaks that isolation.
The two attack vectors that everyone's concerned now about are called Meltdown and Spectre. The flaws in the method used by most modern processors for performance optimization could allow an attacker to read sensitive system memory, which could contain password, encryption keys and emails. And while it's not entirely certain if security products can even detect these malware, to be clear, there is no evidence of exploitation yet. Unfortunately, because these flaws are buried deep within the hardware, attacks won’t leave any traces in traditional log files and are unlikely to be detected by security products.
Here's a quick overview:
That being said, here are 6 things that we believe you need to know about the Spectre and Meltdown security exploits...
1. So Far - No "Observed Active Deployment" of Spectre and Meltdown
Intel Vice President Stephen Smith says that so far the chip giant has observed "proof of concept" of the Spectre and Meltdown exploits but has not "observed any active deployment" of the exploits in PCs or servers.
2. Intel Encourages Customers to Utilize Automatic Updates
Intel is encouraging "computer users worldwide to utilize the automatic update functions of their operating systems and other computer software to ensure their systems are up-to-date." The company said the system updates are being made available by system manufacturers, operating system providers and others.
"We have begun providing software and firmware updates to mitigate these exploits," said Intel in a document on the security exploits. "End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any updates as soon as they are available."
Intel said that for "malware to compromise security" using Spectre and Meltdown it must be running locally on a system. "Intel strongly recommends following good security practices that protect against malware in general, as that will also help protect against possible exploitation," Intel said.
Intel said that many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.
3. This is an Industry-wide Issue Not Specific to Intel
Intel has gone to great lengths to stress that Spectre and Meltdown are not "unique to any one architecture or processor implementation." In fact, Intel says security researchers notified Intel, AMD and ARM of the exploits.
The exploits affect most modern processors and can be executed against mobile devices, desktops, laptops and servers running in cloud environments. All told, the flaw affects nearly every device an end user has or operates. This is significantly different than previous security flaws because they're based on a critical hardware flaw, not a software flaw. Therefor the scale is massive.
4. AMD Claims "Near Zero Risk" on AMD Processors
At the same time, chip manufacturer AMD claims there is a "near zero risk" to AMD processors in regards to Spectre and Meltdown. In fact, AMD says it has no plans to issue operating system or firmware updates for its processors. When asked by an analyst about comments from AMD that the issue does not impact that company's processors, Intel responded that the researchers have demonstrated some of the exploits running across a variety of product implementations, both in hardware and software.
5. ARM Claims "Majority of our Processors are Not Impacted"
ARM Holdings – which makes processors for smartphones- said the "majority of ARM processors" are not impacted by Spectre and Meltdown. That said ARM cautioned users that it is important to note that the exploits are dependent on "malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads."
6. The Performance Impact on PCs and Servers
Intel says that using industry benchmark testing, the average impact of the mitigations (ie: patches needed to address this flaw) on performance to be between zero and two percent, said Ronak Singhal, Intel Fellow and director of CPU compute architecture at Intel. "A workload that is largely in the user space will see little to no impact," he said. However, for workloads that spend a lot of time going back and forth between the operating system and the application, some synthetic workloads have shown an impact of 30 percent or more, Singhal said.
So, what does this really mean? Well, we (us end users) may see a little bit of a performance degradation when the systems get patched. And according to Microsoft, they're planning on releasing the needed patches on Tuesday.
Attacks that impact microarchitecture of CPUs have been around and known for more than a decade. Most though were thought to be only exploitable in very limited cases, many involving physical access. What this really means is that we need to stand vigilant in our approach to security and know how critical it is to keep patches up to date.
What You Should Do
Apply the first available security updates from the companies who make the software on your devices, like Microsoft Windows or Apple for iOS. You should also make sure your Anti-Virus software is prepared to address the needed patch. Also, make sure your browser is up to date. For Chrome or Firefox users:
- Google has stated, "Chrome 64, due to be released January 23, will contain mitigations to protect against exploitation." In the meantime, you can enable "Site Isolation" found in current stable versions of Chrome to provide better protection.
- Mozilla has released information describing their response, including how Firefox 57 will address these security flaws.
Cloud providers such as Amazon are working to patch the servers used in their data centers, and some users may experience down time as they do this.
That said, all of FPA's Managed Service clients are patched and updated as soon as needed patches are made available. Again, Microsoft has reported that it will be releasing the needed patch on Tuesday, January 9th and we will be making sure our clients are updated as such.
This is something we take very seriously and our NOC takes pride in. Also, ESET (FPA's Anti-virus of choice) was one of the very first security vendors to allow the Microsoft patch against the flaw to be enabled.
If your organization doesn’t have a formal, ongoing patch management process, we’d strongly suggest you consider one. If you’d like to learn more about FPA’s managed services program, feel free to drop me a line.
In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click!
Has this been helpful? Let me know what you think in the Comment box below or send an email if you’d like to chat further about this topic.