Patching Spectre and Meltdown is going to require a wide range of action

It’s been a rough week for chip manufacturers and operating system companies. They’re taking the most heat because of new disclosures of long-standing flaws in processor architectures that have widespread cybersecurity implications. If the deficiencies are left unaddressed, they pose a risk of compromise to data stored across devices around the world.

In the last few days, it got worse for AMD and Microsoft when the latter released a patch to address security flaws on AMD-based systems. The patch caused many systems with older AMD processors to become unusable. After applying the patch, users reported that their systems failed to boot or that they received a blue screen. Until Microsoft resolves the issue, they have put a temporary halt to the security patch on affected AMD systems.

{mosads}The level of transparency on these issues by the affected processor and software vendors is mixed, so businesses and users alike need to take public disclosures of the risks from these vulnerabilities with a grain of salt. Although there has been no public report of a successful mass attack campaign using the vulnerabilities, there have been a few proof-of-concept attack vectors that have been successful in the lab, called Spectre and Meltdown. AMD has claimed there is zero exposure to Meltdown, and that Spectre is addressable by software patches.

Why do Spectre (and Meltdown) vulnerabilities concern security professionals?

Although these recently published attack vectors pose a risk, chip and software vendors and the cybersecurity community understand them well. The newly reported processor flaws are characterized using the technical jargon of speculative execution. More simply, the design flaws are rooted within the processor’s architecture where a design defect allows applications to cross memory boundaries into the protected memory of other applications. Variants to the flaw exist where malware could potentially gain access to the memory of other applications (in the case of Spectre) or where malware could gain access to a device’s memory (in the case of Meltdown). The Spectre vulnerability is possible on a broad range of processor designs from multiple vendors. Meltdown is limited to just Intel processors.

The architecture flaws first came to light for vendors in mid-2017. However, they were recently brought into the focus of security professionals and others when chip and software vendors went public with disclosures on the flaws. If these flaws get used in a successful attack, it could lead to a broad range of malware including privilege escalation attacks that could result in compromise to a user’s data stored on their device. Although some vendors have downplayed the potential risk from these flaws, they are of concern because of the inherent complexity to resolve the deficiencies and the significant number of devices that have the flaw.

Is it true the Windows patch for Spectre renders AMD systems unusable?

The reports are true that for some AMD processors the Microsoft security patch recently released to address the Spectre vulnerability can leave systems in a state where they cannot boot. Because the flaw is in the processor architecture, a permanent solution will require a fix in future chip designs. Short term, devices will need to be updated with a mix of firmware updates from the chip manufacturers and security patches from software vendors. Many chip and operating system vendors, including Microsoft, Google, Intel, AMD, among others, are working aggressively to address these issues as soon as feasible.

How can we patch vulnerabilities on AMD?

Unfortunately, users that have systems with older AMD processors on their systems will have to wait for appropriate updates from AMD and Microsoft. In the meantime, users should ensure that reputable endpoint anti-malware (anti-virus) software is installed and active with the most recent malware signatures.

Although these newly reported attack vectors are of concern, in practice they will be very challenging for attackers to use as a successful attack vector because of the inherent complexity of memory management in system processors. To mitigate the risk of malware, users of computer-based systems should ensure they have cyber defenses in place and that are known to be effective at addressing common attack vectors that are being used successfully by attackers.

Users of systems with affected AMD processors should make sure the appropriate firmware and software updates are applied when they are made available by Microsoft and AMD.

What systems require patching for vulnerabilities?

Unfortunately, any device that uses processors that have the flaw will eventually need to be patched. The number of affected devices is most likely in the billions, according to cybersecurity company Norton by Symantec. Devices that are affected by the flaws span laptops, desktops, mobile devices, cloud-based systems, and more. Software vendors that will need to supply patches for the flaw are many and include Microsoft, Apple, Google, and more. The firmware updates and security patches are starting to flow but, for some processor and operating system combinations, it will take time.

Where to go from here?

As with most cybersecurity concerns, users have to stay vigilant. Companies should ensure defense-in-depth info security protections are in place (e.g., endpoint security, firewalls, log management) and are efficiently working. Similarly, companies should ensure all industry required info security controls are in place and working (e.g., access control, configuration management, patch management). Users should stay on top of updates from the vendors for their devices — including chip, operating system, and applications, with an understanding there may be a delay for some firmware and security patch updates. 

Companies can additionally utilize third-party risk management and information security monitoring services to assess and monitor external exposure to threats and address issues as they are uncovered to minimize cybersecurity risk. And finally, devices should have recommended updates to firmware and security patches as recommended by technology vendors.

Alex Heid is the chief research officer at SecurityScorecard and former hacker.