2018 is off to a rocky start for cybersecurity. Before the end of January, two huge security vulnerabilities were detected which took weeks for internet service providers to patch. Unfortunately, the complicated nature of these vulnerabilities has made the development of solutions much more difficult than expected, meaning Meltdown and Spectre are alive and well despite Intel’s latest patch.
Shortly after release, it was discovered that Intel’s patch solved most Meltdown/Spectre issues, but was causing devices to, among other things, reboot unexpectedly and lose data. In response, Intel released a statement telling customers who were updating critically vulnerable systems to forego the patch entirely. Dell and HP were among the first to heed Intel’s advice and stopped deploying the BIOS updates which carried the faulty patch. Microsoft, on the other hand, has issued an out-of-band update that specifically disables Spectre mitigation patches, that is, until Intel releases a more stable fix.
As of now, Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability. The Variant 2 attack, known as “indirect branch speculation,” is considered the most difficult attack to mitigate and carries with it the highest risk for virtualized environments in the cloud.
Further conflating information about solutions, independent vendors have been releasing and redacting patches almost constantly. If you don’t know where this moving target has migrated to, you’re not alone. Here’s the latest on the status of these patches and what steps you can take to secure your organization.
What went wrong?
These errors caused by Intel’s patch can be traced back to how they negatively affected Haswell and Broadwell chips. Intel also later found the same problems affected Kaby Lake and Skylake CPUs. A resolution from Intel is yet forthcoming, though their official advice is to focus efforts on testing early versions of the updated solution to help accelerate the new release.
What caused Meltdown/Spectre?
The harsh answer is consumer demand. In our haste to create faster, smarter hardware, we’ve developed microprocessors that contain computer chips with major flaws and archaic elements from as far back as 1995. To satisfy our need for increasingly fast computers, chip developers added an element to processors called “speculative execution.” Speculative execution allows a processor to guess what actions a user might perform next as to prepare mechanisms and increase device speed, essentially letting your device stay one step ahead of you.
The problem with this function is what happens to those predicted actions which, after your action, prove to be inaccurate. These functions are unprotected because they appear on the surface to be nothing more than disposable mistakes. But they’re also breadcrumbs for anyone sorting through these trashed functions; breadcrumbs which may allow a hacker to gain access to your personally identifiable information (PII).
Meltdown and Spectre use this speculative execution to trick your computer into generating guesses with your PII. From there, a hacker can gain access to information on your computer, personal devices or even in the cloud. There are differences in how the two collect your data, but the end result is the same.
Is there a solution?
Unfortunately, the short answer is no. To completely fix these vulnerabilities, new hardware will need to be designed, which means many devices may be susceptible to Spectre attacks for decades. Don’t let that stop you from applying patches now, as these will still provide you with some valuable protection from attackers.
What can we do until then?
The cause for panic isn’t as dire as it seems. These attacks are not so unique that you’re automatically vulnerable; each requires malware to be installed on a device before they can operate. So, your best defense is to adhere to tried and true standard security practices. In the long run, to combat Meltdown and Spectre, developers will need to design an entirely new form of hardware. Our current model of computer hardware is not sufficient.
There’s no such thing as an airtight security system. Unlike physical locks, cybersecurity is more like a mathematical equation that, over time, will slowly erode and crack under the weight of artificial intelligence and the evolving sophistication of cybercriminals. Thus, a successful cybersecurity program isn’t an endpoint, it’s a journey that must constantly reevaluate itself and evolve to overcome new threats. All you can do is keep your wits about you, maintain best practices and monitor your systems frequently.