Unintended Consequences: The Fallout of Vulnerability Hype

2018 started off with a bang as the information security community had a meltdown over the spectre of a new class of vulnerabilities which affect the core of every computing device: the central processing unit (CPU).

Modern processors speculatively execute instructions which may or may not be required in order to improve performance. If the execution was not required, the results are discarded, and the programs are blissfully unaware.

The new vulnerability class involves observing artifacts of speculative execution. The artifacts form a side-channel allowing an attacker to read memory across security boundaries: a malicious process could read the contents of a remote target process; or a malicious process could read the contents of kernel memory.

Ironically, news of the vulnerability was itself leaked through a side-channel when Jonathan Corbet noticed the KPTI (previously known as KAISER) patchset was being rushed for introduction in the upcoming Linux kernel update.

A change of this magnitude would typically undergo lengthy discussions and multiple revisions prior to being included for release. Instead of the expected discussion, the patchset was accepted without much fanfare by Linus Torvalds. Corbet’s article ignited a chain reaction as security researchers around the world began digging through prior research to uncover the vulnerability.

Speculation about the massive vulnerability reached a critical point when proof of concepts demonstrating the vulnerability appeared and vendors broke the coordinated release date by providing full disclosures almost a full week prior to the agreed upon date. Smaller cloud computing providers SCRAMbled to determine their exposure and the apply the mitigations.

The immense hype buildup, premature disclosure and chaotic patch rollout created a cloud of confusion among consumers, system administrators, and software vendors alike. Due to “misbehaving” personal security products, Microsoft required security software vendors to validate their software was compatible with the new update (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Jeffrey Tang. Read the original post at: Cylance Blog