The One Important Thing You Need to Know about Spectre and Meltdown

There is a lot of information going around about a new security problems with processors (not just Intel’s, well sort of). You see there are two exploits tied to what is being termed Side-Channel Analysis. One that is relatively easy to patch and appears tied to just Intel called Meltdown and one that could impact both ARM and AMD processors as well, but is both harder to execute and harder to protect against called Spectre. The last requires targeted exploits which, for now, means the defenses have to be equally tightly focused. Microsoft, Linux (who is not amused), and Apple apparently have patches either already out or in the process of being pushed out for Meltdown but there are only point solutions for Spectre at the moment. Intel, due to their footprint, is likely the bigger target and lower end ARM processors aren’t at risk.

I’ll cover each vendor’s platform and discuss risk and close with the One Big Thing you need to take away from this.

ARM

Fairly low risk. The likely targeted platforms would be high-end smartphones and given we are talking Spectre—which is a targeted exploit—the likely risk is only if you are a politician or a high-ranking executive. Law enforcement might be able to use this to break into a high-end phone as well but, for most of us, that will never be an issue. I would suggest you keep your patches up to date and that, given this clearly won’t be the last exploit like this, carriers should have a faster update process for security patches to further mitigate exposures like this in a timely manner. But, if you aren’t famous, powerful, or in some type of security role, the risk to you with ARM is currently almost insignificant. Given many of the folks most at risk are likely on special phones like Blackberries the risk to them is probably insignificant.

AMD

Like ARM, AMD appears to be only vulnerable to Spectre and not Meltdown. But given AMD has historically sold lower end products and just recently gotten back into servers, and because Spectre requires targeting it seems unlikely any AMD servers or PCs will be targeted. It’s too small a footprint thus not enough return for the effort and AMD’s security is different than Intel’s, likely increasing the effort for what will likely be a far lower payout if the exploit is successful. There is an advantage to being different. However, patches intended to protect Intel hardware will also be loaded onto AMD machines and software patches that slow down Intel products will also likely slow down AMD’s as well. Currently that slowdown is falling closer to the low end of the 2% to 30% range on Intel parts and likely would have a similar impact on AMD.

Intel

This is where it gets ugly because Meltdown and Spectre target Intel almost exclusively. There are patches either coming or in place from Apple, Microsoft and Linux for Meltdown but—as noted—Spectre is a targeted exploit not a general one and, for now, the patches related to Spectre only work against known attacks. There is no broad patch eliminating the exposure and to fully address that exposure it appears you may need a new processor in the future. Intel is dodging a recall now, and this shouldn’t require one, but the optics surrounding the event from Intel’s lack of timely disclosure to their CEO divesting himself of every Intel share he could sell (around $25M) make it look like the company is misacting and if the various regulatory agencies, both domestic and abroad, come to that conclusion a recall will be forced. You may still be OK if the related products are protected underneath a strong layered defense or have aggressive access management like Varonis active at your site. Intel is aggressively dropping patches to mitigate this problem, but the true fix will be a new part that doesn’t exist yet in market and you should take that into account.

The One Thing You Need to Know About the Security Flaw

The patches that are being released are only being released against current operating systems from the OS vendors. The folks who are mostly, and will continue to be exposed, to both Meltdown and Spectre will be those who are on older versions of Windows largely using Intel hardware. This is a nasty exposure in that it will uncover ids and passwords allowing an attacker full access to your PC or server. This is, once again, a reminder that in today’s hostile world, not staying current on operating systems or patches carries with it a serious risk.

Wrapping Up

Side-Channel Analysis is a new kind of exploit that creates exposures for both ARM and x86 processors and effects all related vendors to some degree. Intel has the greatest exposure and while they are aggressively handling patching and have affectively rallied the industry to mitigate this threat, they aren’t handling the related messaging well and the untimely divestiture by their CEO of much of his investment in Intel doesn’t bode well for that company, making a recall more likely. Most at risk, now, are those on older versions of Windows running on Intel hardware once again reminding us of the importance of keeping OSs up to date and fully patched.



*** This is a Security Bloggers Network syndicated blog from Security – TechSpective authored by Rob Enderle. Read the original post at: http://techspective.net/2018/01/05/one-important-thing-need-know-spectre-meltdown/