What's the Latest on Spectre and Meltdown Remediation?
The recent discovery of the two vulnerabilities, Spectre and Meltdown, shook many a security firm's tree. The vulnerabilities attack performance enhancing attributes of processors and can effect kernel level performance and commands. Since January 3rd, security teams have been working to deal with the vulnerabilities created by the discovery. Early patches created a few issues, especially performance slowdowns. Remediation efforts will be ongoing for awhile, especially since Intel repaired another major vulnerability in 2015 that was found in 2008.
For users hoping to see a faster solution for the Spectre and Meltdown issues, efforts seem to be going better. The following explains the current state of the vulnerabilities and the road forward to a complete fix.
Spectre and Meltdown
Found by 4 different independent teams of researchers within weeks of each other, these two vulnerabilities represent a massive threat to current processors. Unlike viruses, which change or break code, Spectre and Meltdown are an exploitation of how the processes are supposed to work. The vulnerabilities affect some chip-sets from Intel, AMD, and ARM. This leaves nearly every computer made since 1995 at risk. Spectre allows attackers to gather information from the kernel because it breaks application isolation. Fortunately, the kernel memory only encompasses a small amount of information, so leeching data in this method would take a considerable amount of time. Even small amounts of data though, if they are the right bits of data, can add up to a massive data breach. Fixes for the issue will likely require microcode updates in addition to other patches. Meltdown works in a similar fashion, except that the application isolation break extends to the operating system. This enables attackers to access memory and from there to access other programs throughout the operating system. The complexity of the issues with Spectre and Meltdown require a broad variety of changes and some reevaluation of chip design for the future. Though the impact of these two vulnerabilities will be ongoing for a few years, the direct impact to computer users should not be an undue burden.
To address the issues created by these vulnerabilities, engineering teams across multiple companies have been rolling out patches. Unfortunately each patch can cause other issues and extensive testing takes time. For each patch that comes out, testing has to be done before it can address the issues of the initial problem and/or the issues possibly created by a previous patch. The initial roll-out of patches bricked some AMD machines, which was attributed to flaws in the chip-set specifications. Regardless of the cause of such errors, those affected certainly thought the cure was worse than the disease. Future efforts to repair the problem will hopefully be more cautious. The total process could take up to five years to fix. Some critical areas, such as medical devices or control systems, could take even longer. Fortunately many of those are "offline" and less subject to attack. The following looks at the steps being taken to deal with the issues as fix efforts continue.
1. Identify Systems Impacted by Spectre or Meltdown
Impacted systems need to be found to understand the full scope of the issue. During this phase, more chips will likely be added and different patches will be created for each to prevent bricking and reboot issues. Systems include unspecified storage such as mobile devices, cloud services, and cloud infrastructure. Each system features differences that will need to be addressed, both for the changes needed to be made through a patch, as well as the delivery and execution of any change.
2. Identify Vendors
Security and risk-reduction services vendors will be alerted to issues and fixes so that they can begin and monitor testing processes. This provides an underlying test-bed for patches to ensure quality before being extended to general users. Vulnerability management specialists will be able to handle unexpected complications and report back to the patch engineers in a closed loop. Mitigation steps, especially hardware replacement for larger infrastructure comes first.
3. Patching Plan
Patching will come out in stages along the lines laid out by the previous two steps. The top priority remains systems that have web access as they will be the most easily targeted due to connectivity. Because performance issues make up the largest set of known issues with patches, system workloads will need to be monitored to keep vital systems from suffering major issues. Performance drops of up to 20% have been observed. Anti-virus companies and software updates will need to be made to keep the patches from being rejected or isolated in whole or in part. This issue comes from the nature of any change to something as base as the kernel and memory. Microsoft has a specific anti-virus check in place to ensure compatibility with the update. Host-based control system use will be laid out to monitor changes to the operating system as each patch releases. A pattern of updates from lesser systems to major systems will be followed. This pathway tends to go through Anti-Virus, then OS, then to BIOS before any microcode gets changed and updated.
4. Patch Deployment
Patches should be released in staggered fashions to avoid crashes and limit negative effects. Between each patch deployment should be a period of monitoring. Currently, patch deployment for Windows 10 remains limited for the auto-updater until engineers can be certain that bricking and rebooting issues will not repeat. ACE-ITS has seen some client workstations negatively impacts with hours of downtime resulting from re-installations of software or operating systems.
Monitoring for unexpected issues from patches will fold in with deployments. Monitoring for exploitation of the vulnerabilities will also occur. The Spectre and Meltdown exploration monitoring will be ongoing and include recommendations and warning if specific attacks occur. Having appropriate Security Information and Event Management systems in place to aggregate and review this monitoring will be key for organizations to stay in front of the vulnerabilities. Fortunately, a steady pace of patching limits the ability of hackers to exploit the vulnerabilities because the playing field will change unexpectedly. Rolling out patches in stages helps to ensure that more issues don't get created, but they also reduce the amount of time that specific iterations can be manipulated for further exploits.
More Security Information
Staying up to date on security and computer issues can be taxing. Users and companies both benefit from checking with professional technology services and the information they have access to. Computer security is as important as it is difficult to understand. The smart play for businesses remains to trust experts to handle security efforts.