Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Spectre, Meltdown Vulnerabilities Will Haunt Industry for Years

Chip makers such as Intel have released patches and fixes to mitigate Spectre and Meltdown issues, but the problem won't be solved until they come out with new architectures, which is two to three years away.

A year ago, the public first heard about Spectre and Meltdown, channel-side vulnerabilities in most of the processors used in servers and PCs for almost two decades. The disclosure of the vulnerabilities, first detected by Google's Project Zero team in mid-2017, and officially disclosed in early 2018, sent shockwaves through the industry.

The effects will continue to be felt over the next few years as chip makers from Intel and AMD to ARM and IBM rearchitect their processors to harden the technology that led to the vulnerabilities, a process that will take another three or so years, according to Paul Teich, principal analyst at Liftr Cloud Insights.

After that comes the arduous task of refreshing PCs and data center servers throughout the world with systems powered by the new processors, which could take a decade or more.

"We're going to be living with Spectre and Meltdown for a long time," Teich told Security Now.

(Source: iStock)
(Source: iStock)

The vulnerabilities arise out of the speculative execution that is used to ramp up the performance of the processors. Through Spectre, the isolation between applications that is managed through the CPU memory can be broken, while Meltdown splits the isolation between applications and the operating system. Chip makers scrambled to put in fixes through microcode and software changed to mitigate some of the risk from Spectre and Meltdown, but more permanent solutions are years down the road. In addition, variants of the vulnerabilities have continued to spring up, complicating the already complex task of addressing the problems. (See New Spectre & Meltdown Attacks Show Limits of CPU Vulnerabilities.)

Security concerns
Spectre and Meltdown also changed the discussion around security to a degree.

Until last year, much of the talk about vulnerabilities and exploits centered around software, through the issue of the security of Internet of Things (IoT) devices has been a growing issue. However, Spectre and Meltdown brought security concerns into the core of enterprise hardware and raised the difficult question of finding a middle ground between performance and security. Intel and others have tried to lessen the impact on performance through such steps as adding more memory, but it's a challenge, Teich said.

"A worrying pattern that the Spectre and Meltdown vulnerabilities brought to light is how attackers piggyback on computing advancements and exploit the fact that there's often a lag between performance improvements and corresponding security improvements," Abhishek Iyer, technical marketing manager at cybersecurity vendor Demisto, told Security Now in an email. "The Intel SGX brought an innovation to market -- the Abort Page Semantics that allowed increased performance through speculative execution while thwarting Spectre and Meltdown attacks -- but the Foreshadow (L1TF) [variant] explicitly misused that innovation and resulted in the minor performance hit that comes with microcodes and patches. This balance between improving performance and maintaining security is something that organizations will continue to explore gingerly with attackers waiting in the sidelines."

It also put a focus on the need to address security throughout the development process to address possible vulnerabilities before the products are shipped, Charles King, principal analyst with Pund-IT, told Security Now.

"It's a new world that continues to evolve," King said. "It behooves people to keep that in mind. Don't think it's going to get any less complex or dangerous."

Assessing the response
The industry's initial response to Spectre and Meltdown was good, according to Liftr Cloud's Teich. Google researchers worked with hardware and software vendors to remediate as many of the problems as possible before going public with the vulnerabilities, and chip makers have continued to issue fixes and put in protections into their products.

Still, the various fixes frustrated C-level executives and IT professionals, according to Jon King, cybersecurity consulting manager at investment firm Moss Adams. For executives, the impact on performance and cost may have convinced some to "ride out the storm [rather] than fully understand the risk," King told Security Now in an email. (See Intel's 9th Gen Processors Offer Protections Against Spectre & Meltdown .)

The continual release of inconsistent patches also impacted IT, as King noted, these updates:

Desensitizing them to the potential impact of side channel disclosure due to the frustration of reapplying patches and registry edits across the enterprise. Going forward, we should expect and even encourage vendors to address classes of vulnerabilities affecting broad swaths of the industry in a thorough, effective manner. The emphasis should be on addressing the risk, not simply patching the vulnerability.

Teich added that the next iteration of processors from Intel and AMD will bring greater protections against the vulnerabilities -- he called them "half steps" -- but it will be the processor rollouts after that -- in mid- to late-2020 -- that will include new core architectures that will protect the various points in the speculative execution pipeline. Then comes the long process of enterprises refreshing their data centers with new systems that include the new chips.

The good news is that, so far, there doesn't seem to have been any attacks in the wild exploiting the Spectre or Meltdown vulnerabilities.

Part of that may be how difficult such an attack would be, Teich said, calling the vulnerabilities "low-risk, high-impact." Such an attack would involve the transferring of huge amounts of data from the system over the network, something that modern security solutions would most likely be able to detect.

In addition, most threat actors know the data they're looking to extract. Exploiting Spectre or Meltdown would mean stealing massive amounts of data that an attacker may not know what do with. "The whole point of [an attack] is to send data home," Teich said, adding that attackers tend to run "pinpoint surgical operations."

Chris Morales, head of security analytics for cybersecurity vendor Vectra, agreed.

"The reality is, while these are scary attacks conceptual, the ability to execute an attack utilizing these flaws is still hard," Morales told Security Now in an email. "The data rate for extraction of data from system memory is very low, meaning stealing anything more than a simple password could take days or much longer."

For now, the industry will have to push on with Spectre and Meltdown always looming, at least for the next several years.

"The problem isn't going to go away until Intel and other companies with technology susceptible to Spectre and Meltdown change the [chip] architecture," Pund-IT's King said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.