Asian Experts Size Up Meltdown and Spectre VulnerabilitiesVendors, Government Agencies Issue Warnings
Security practitioners in Indian and Asia, heeding warnings from vendors and government agencies, are grappling with security challenges posed by the two critical vulnerabilities dubbed Meltdown and Spectre that are affect desktop computers, smartphones, tablets and cloud services that use some types of Intel, AND and ARM microprocessors (see Microsoft Pauses Windows Security Updates to AMD Devices).
Attackers could take advantage of the flaws in many microprocessors to steal kernel data, including passwords and encryption keys. But so far, there have been no reports of real-world attacks.
Singapore's Computer Emergency Response Team recommended that users monitor their vendors' websites for the release of security patches and implement them as soon as possible.
Meanwhile, India's CERT-In rated the vulnerability as high.
"These vulnerabilities exist due to side-channel attacks, which are also referred to as Meltdown and Spectre attacks. A local attacker could exploit these vulnerabilities by executing arbitrary code with user privileges and gain access to sensitive information on the targeted system," CERT-In says.
Concerns About Chip Design
Some security practitioners in the region say the vulnerabilities raise serious concerns about chip design.
"The only lasting solution here will be better chip security design," says Tom Wills, director at OnTrack Advisory, an information security advisory firm based in Singapore. "We can expect the vendors to immediately correct the design flaws that caused Meltdown and Spectre, and this will be reflected in new chips moving forward." But the risk will continue to exist across at least some of the ecosystem until the entire generation of currently deployed chips has been replaced, Wills says.
"While the chip vendors have come out with full fixes, the medicine is worse than the cure because, in order to fully mitigate the vulnerability, the chip itself has to be replaced," Wills says. "Some partial fixes have also been released by operating system vendors as software updates; however initial indications are that they result in a significant degradation in system performance."
Unfortunately, some of the fixes may reduce processor performance, especially in large-scale environments. "There is a growing concern about the overall performance of the systems as the vulnerability directly impacts the kernel memory and user memory spaces," says Mumbai-based Sachin Raste, senior research analyst with eScan, a security solution provider. "There is also a growing concern that these performance issues would affect the services hosted in the cloud environment."
Others see the problem as being endemic of more longstanding OEM supply chain issues. "The issue is not new and this could just be tip of the iceberg going forward, says Singapore-based Ken Soh, CIO and director at BH Global. "We truly do not know what we do not know. Security always comes with inconveniences and cost,"
Chip, operating system, mobile device and application vendors are now racing to mitigate the risks posed by Meltdown and Spectre. But security practitioners say many fixes will be iterative and that developing genuine, long-term fixes will be time-consuming.
"This will realistically take several years and it's not clear what exploits will happen between now and then," says one security practitioner in the region, who asked not to be named. "Because servers and other back-end devices tend to be replaced least often, this is where I expect the risk to persist the longest."
Thankfully, many security experts believe that the risk of these vulnerabilities being exploited to cause widespread chaos remains low.
"For enterprise customers who are not on the cloud, this issue isn't going to bring the skies crashing down as it's not remotely exploitable," says K.K. Mookhey, CEO and founder at Network Intelligence, a cyber security firm based in Mumbai. "So launching the attack would first require compromising the network and systems using some other means of attack. A widespread attack is unlikely to be seen immediately unless it gets combined with a vulnerability to first get access to the target system and then run memory dumping exploit code, such as the EternalBlue-type vulnerability exploited by Wannacry."
The Intel bug is a really cool bug that took a lot of work to find, exploit and fix, but most folks don't need to do anything other than install OS updates when they arrive.— Pwn (@pwnallthethings) January 3, 2018
The Way Forward
Unfortunately, Spectre and Meltdown attacks would likely leave no trace, security experts say, and cannot be blocked by anti-virus software. So it's essential for organizations to install security updates and attempt to mitigate these flaws as quickly as possible.
Security practitioners say this type of situation can only be avoided if chip manufacturers use more stringent chip design and production processes and prioritize not just performance, but also security. "We love to instill a strong framework with security by design and security in depth. However, at the end of the day, it has to be a proposition well-balanced and acceptable by all parties in the industry," Soh says.