topic Re: How are you handling Meltdown and Spectre? in Industry News

How are you handling Meltdown and Spectre?

Kaity — Mon, 09 Oct 2023 08:23:23 GMT

Another day, another exploit. Or two. For now. News of Meltdown and Spectre is all around us...

Here are a few articles:

Meltdown and Spectre: How chip hacks work - BBC

A Critical Intel Flaw Breaks Basic Security for Most Computers - WIRED

Meltdown and Spectre CPU Flaws Expose Modern Systems to Risk - eWeek

Critical Microprocessor Flaws Affect Nearly Every Machine - Dark Reading

So what are you - and your organization - doing to respond? Advice to share? Warnings?

Let us know!

Re: How are you handling Meltdown and Spectre?

Caute_cautim — Thu, 04 Jan 2018 19:57:33 GMT

With respect to Meltdown and Spectre, I suggest a good source of notifications and updates and recommendations, which is regularly updated is:

IBM X-Force Exchange, you can sign up free and obtain notifications on important vulnerabilities as they develop regularly.

https://exchange.xforce.ibmcloud.com/collection/c422fb7c4f08a679812cf1190db15441

In terms of remediation, apply best practices for authorised patch management processes, and keep watching for updates.

Re: How are you handling Meltdown and Spectre?

Caute_cautim — Thu, 04 Jan 2018 23:42:29 GMT

Some good explanations can be found here:

https://securityintelligence.com/series/ibm-insights-and-recommendations-on-the-cpu-vulnerability/

Re: How are you handling Meltdown and Spectre?

D4rk_sp1d3r — Fri, 05 Jan 2018 03:31:38 GMT

I went here asking the same question. We have a very large global company with multiple sites not to mention acquired companies. Getting updates on all the bios might take a while for us but I am going to suggest on some steps that can be done. Anyway, just want to know how others are handling this vulnerability.

Re: How are you handling Meltdown and Spectre?

Caute_cautim — Fri, 05 Jan 2018 06:08:20 GMT

I suggest you collate an inventory of all your vendors/suppliers and commence communicating with them directly. This will give you a pretty good idea on how proactive they are and also the timeline and quality of advice provide by each supplier.

I definitely recommend keeping an eye out on regular updates. If I find any further information, I will endeavour to post it for all and sundry.

Re: How are you handling Meltdown and Spectre?

Radioteacher — Fri, 05 Jan 2018 12:51:20 GMT

Here is a nice graphic from Daniel Miessler that gives an overview of the threats. "Must have code execution" limits exposure.

Our vendor list is prepared and emails/phone calls will be made today to check on their exposure.

We are alpha testing the Microsoft patches today.

Also, we are tailoring some internal and external communications.

Paul

Re: How are you handling Meltdown and Spectre?

leroux — Fri, 05 Jan 2018 13:47:49 GMT

Sorry, but I can't see the image.

Best regards,

Re: How are you handling Meltdown and Spectre?

leroux — Fri, 05 Jan 2018 13:55:25 GMT

Hackers would first need to install malicious software on your computer in order to take advantage of these flaws.

That means they need to select their targets and hack each one of them before running a sophisticated attack to steal a computer's sensitive information.

Consequently, we have to have stroung computer security implemented and the malicious software will not enter your system...

Re: How are you handling Meltdown and Spectre?

leroux — Fri, 05 Jan 2018 14:19:51 GMT

Hackers would first need to install malicious software on your computer in order to take advantage of these flaws.

That means they need to select their targets and hack each one of them before running a sophisticated attack to steal a computer's sensitive information.

Consequently, we have to have strong computer security implemented and the malicious software will not enter your system...

Re: How are you handling Meltdown and Spectre?

Badfilemagic — Fri, 05 Jan 2018 22:12:54 GMT

The threat actor doesn't need to install malware on an endpoint to take advantage of the the vulnerabilities. Functional JavaScript PoCs exist which exercises the bug. This means that the attack can be delivered via drive-by exploitation when a browser visits a site serving a malicious payload.

Firefox and Chrome javascript engines have been patched, so if you have the latest you should be fine. I'm not sure about other browsers/jscript engines. It is likely Microsoft and Apple have also taken necessary steps.

So, endpoints may have exposure to the issue in this fashion. Your own servers are likely fine, but anything in a multi-tenant, public cloud is another story as an attacker could get a VM instance on the same physical host as yours and if the hypervisor host is vulnerable, it can be a major issue in terms of disclosure.

Re: How are you handling Meltdown and Spectre?

Clive — Fri, 05 Jan 2018 23:02:28 GMT

Opinions are my own and not my employer

Would BIOS lock and Micro segmentation using VMware NSX work to isolate this threat (and future ones)

The National Institute of Standards and Technology (NIST) Special publication on BIOS protection guidelines stated the following:

Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization

NIST 800-17

Re: How are you handling Meltdown and Spectre?

Badfilemagic — Fri, 05 Jan 2018 23:25:14 GMT

BIOS locking and microsegmentation address other threats, not these.

These have to do separation of memory protection rings where, due to various performance optimizations in hardware and at the OS level, data can leak between boundaries (userland process gaining state knowledge of kernel-space memory, or one user process able to gain state knowledge of memory in a process running in a different context on the same os instance).

Microsegementation really addresses network traversal and lateral movement issues, particularly inside virtual environments. BIOS locking is important and you should do it, but isn't going to help you here.

Apply your OS patches and any firmware/microcode updates as may be appropriate; newer Intel processors which use PCID in the context switches shouldn't have the major (30%) performance impact that will be caused by KAISER-type mitigations (unmapping user virtual address space from TLB on entry to system call, then unmapping kernel virtual address space when leaving and returning to the userland process's execution context). Allegedly newer Intel processors should only have a 5% hit there, more or less, and depending on workload. AMD processor are allegedly not vulnerable to "Meltdown" because they made the sane choice of actually checking security context before going down the predictive execution rabbit hole.

Re: How are you handling Meltdown and Spectre?

Clive — Fri, 05 Jan 2018 23:34:47 GMT

WOW Badfilemagic you know your stuff - Thank you

Re: How are you handling Meltdown and Spectre?

Badfilemagic — Fri, 05 Jan 2018 23:37:46 GMT

I spent a good bit of time last year digging through FreeBSD kernel code, writing some, and having to get some major refreshers on "how computers work" at the low level, so the pump was primed to follow this issue with great interest 🙂

Re: How are you handling Meltdown and Spectre?

Caute_cautim — Sat, 06 Jan 2018 03:59:47 GMT

What do you think of this guidance from the University which disclosed the vulnerability to Intel?

https://meltdownattack.com/

Re: How are you handling Meltdown and Spectre?

Badfilemagic — Sat, 06 Jan 2018 14:11:16 GMT

The guidance seems to be to apply os patches, update your browser and when llvm updates are in place, rebuild your whole stack with it using the appropriate compiler flag (advice which is of little to no use to the average user or average corporation).

This is bad news for the cloud. Updating browsers and limiting use of Javascript (which is the major attack surface these days anyway) limits end user exposure on PCs and other endpoints, though, but apply patches.

Re: How are you handling Meltdown and Spectre?

Bayshob — Sat, 06 Jan 2018 14:57:04 GMT

These are 2018 vulnerabilities. Thanks for sharing this. This is a hot topic because it is new, recent and hot. Installing latest patches, using a good security solution, security awareness and avoiding insecure website are among the security tips that I recommend

Re: How are you handling Meltdown and Spectre?

Tolga — Sat, 06 Jan 2018 15:42:08 GMT

I have to say this is one of the quite tricky things I've encountered in my career.

On one hand, there is media coverage that hypes this issue to more than it is, on the other hand there is a technical explanation to it, however no one at this point has really been able to quantify the risk (e.g. with CVSS et al).

However, as far as I've been able to digest this issue it would be a great idea in my humble opinion for enterprises to narrow the attack surface, such as by updating their browsers to certain levels that they aren't affected by outside factors on the big world bad wide tangled web.

Then I would pursue going down the hatch, by starting off with VM's, stand-alone servers, clients et al and get to the bottom as quick as possible.

Again, as far as I've heard from other people who have already applied this patch, it seems like there is a loss of approximately 5% to 10% CPU processing power. This would surely lead to some discussion within a few IT Ops-Depts.

And to some extent, unless there is something done on the processor everything sounds to me like an "Workaround-Patch".

Anyway, I'd be delighted to hear and see some of the other ideas, sugesstions on this topic.

Re: How are you handling Meltdown and Spectre?

Bayshob — Mon, 08 Jan 2018 00:35:28 GMT

Thanks for sharing

Re: How are you handling Meltdown and Spectre?

JoePete — Wed, 10 Jan 2018 18:49:34 GMT

I think the more pressing question is "How are your service providers handling Meltdown and Spectre?" While the vulnerabilities could be exploited by something like a malicious web site (http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html), I think the higher risk, higher target exploits will involve cloud based attacks where one malicious cloud users gets access to the data of all users sharing the same physical hardware. Conceivably, this could result in the compromise of a service provider's management plane and with it an entire data center. Really, this shows how one flaw - inspired by the desire to do more, faster - can undermine everything on top of it.