How bad are Meltdown and Spectre?
- 23 January, 2018 22:00
I’ve been surprised by the lack of interest, by both the general public and some IT admins, in the Meltdown and Spectre vulnerabilities, which are arguably the most significant computer vulnerabilities we have ever dealt with. To be fair, this isn’t the end of the world. Computers aren’t falling over left and right yet.
The big pain hasn’t happened, and that’s part of the problem. These are HUGE exploits with HUGE risk, but because they aren’t being widely exploited yet, they just aren’t getting the attention that they deserve. I expect hundreds of millions of devices to remain vulnerable for the foreseeable future.
Note: I’m writing about Meltdown and Spectre as if they are similar exploits with similar impacts, even though they are not. It just makes writing a short article such as this one easier. Be aware that not all statements below apply to both flaws in equal measures.
A few readers have sent me questions and rebuttals to my concern. Here are a few aggregated examples along with my responses:
It’s not that big of a deal, you’re overreacting
Meltdown and Spectre affect nearly every modern-day operating system (e.g., Microsoft Windows, Apple OS X, iOS, Linux, and BSD) and the most popular CPU chips (e.g., Intel, ARM, AMD). They impact servers, workstations, laptops, tablets, mobile devices, network equipment, cloud services, graphics cards, and some internet of things (IoT) devices. Did I leave something out?
You might think you are safe in some instances, such as gaming consoles. Some of the most popular gaming consoles are not affected. Whew! Except for the fact that nearly every modern-day gaming console connects to the cloud, and those cloud services are likely affected. I have heard that smart watches and newer versions of some smart phones, WiFi routers, and many home automation devices aren’t affected. Well, we have to take our little victories where we can.
Just patch your stuff and it’s fixed
The Meltdown and Spectre issues are so complex that a device fix often involves patches to chip, firmware, OS, and applications to make your device unexploitable. Some solutions require additional configuration setting changes.
You’ve somehow got to figure out what needs to be patched, how extensive the patching is, how to deploy all the needed patches, and how to make sure everything has been applied as required. It’s a patching nightmare. Some percentage of devices and software can't be patched and must be replaced. It’s bad when your admins are thinking that they would rather replace every impacted device than be responsible for ensuring all devices are adequately patched.
The worse problem is how many devices will never be patched. With a normal software patch, the overall patching status looks like this: 50 percent of people will apply the patch in an acceptable period of time, 25 percent will apply the patch very late, and 25 percent will never patch the device. The complexity of these exploits means the latter percentage of people who never patch will likely be higher.
Why don’t some people patch? In some cases, they aren’t allowed to patch—for example, admins for environments like critical medical devices or critical energy control equipment aren’t allowed to patch, or at least in the same year. More often than not, admins have software and devices that they don’t know they need to patch.
The impacted computer is a cash register, a hidden piece of network equipment, or a server tucked in the back. There may be a message on that device’s screen that is screaming to be patched, but they never do it. How many friends do you have that cognitively ignore all the patch warnings for years? That’s many of my friends.
It’s not that serious of an exploit; it’s really only eavesdropping
That eavesdropping is on the most critical secrets involving the security of the devices or OS. On impacted devices, malicious attackers can bypass every current anti-malware and protection feature implemented on those unresolved devices without setting off a warning or leaving a trace in a log file.
Meltdown and Spectre were seen by the (multiple) discoverers and impacted vendors as so serious that they did not release information until a coordinated fix and response could be accomplished. There were literally thousands of people spread over many dozens of vendors, and they all kept this exploit quiet for months until someone leaked it a few days early. Let me know if you’ve ever found another “eavesdropping” exploit where the coordination across the industry was not only required, but actually maintained for months?
The exploits aren’t being widely used and won’t be easy to weaponize
Simply not true. Right now, the example exploits just seem to pull those critical secrets out of the processor memory, but future exploits will likely evolve to a point that attackers can execute a particular program to get a particular secret.
These aren’t remote exploits, so the fears are overblown
Today, 99 percent of exploits aren’t true remote exploits, but it hasn’t stopped attackers from being even more successful. An attacker can execute a true remote exploit by performing all needed actions on their end. An example is an exploitable listening service. The attacker connects to the service, transmits the needed exploit against the vulnerable service, and voila!, the service is exploited. Remote exploits can spread very far very fast because they don’t require local end-user interaction. They used to be the majority of exploits, but that hasn’t been true for over two decades.
Today, most exploits require local end-user interaction to be successful. It’s not nearly as hard as anyone assumed decades ago to trick users into clicking on a link, opening an email, or double-clicking on a file. If it was, we would have defeated malicious internet exploits a long time ago. These days I mostly ignore the local-only versus remote-only distinction given for an exploit trait. If it’s a local-only exploit or requires end-user interaction, the exploiter can still be successful.
This might be just the tip of the iceberg
What scares me the most isn’t the laisse faire attitude toward Meltdown and Spectre; it’s that it sets a precedence for what is likely to become a growing problem. Hardware exploits are becoming more popular and interesting to more people. Indeed, it appears that several different groups of unrelated people had individually discovered the aforementioned exploits during the same few months, all while exploring the field of chip exploits more intently.
We can absolutely expect more chip exploits along the lines of Meltdown and Spectre. The question is will we, as a society in general, care enough to adequately respond to all instances, or will exploit fatigue set in?
If you’re feeling a little superior right now, make sure your company is doing all it can to patch everything required. Ask yourself, does your company have a written policy requiring that all chip and firmware patches get applied in a timely manner? Does your company, regardless of the written policy, actually have a list of chip and firmware versions, actively check them for patches, and apply those patches? Or are you just responding to the Meltdown and Spectre issues?
Nearly every chip and firmware patch fixes one or more critical security vulnerabilities. They always have. We’ve been lucky that attackers haven’t focused more on them. The thousands of yearly software vulnerabilities have been successful enough that they haven’t had to focus on hardware issues. That seems to be changing.