Techies to net ‘great deal of work’ from chip security crisis

Techies adept at patching systems are the likeliest IT contractors to benefit from the ongoing fallout from two chip vulnerabilities affecting almost all processors as far back as 1995.

Disclosed by a US research team, ‘Meltdown’ and ‘Spectre’ offer a window for attackers to steal sensitive data from many devices using many different CPUs and operating systems. 

But thanks to the team, techies who must safeguard client systems can use the team’s online page to see details of both vulnerabilities, their background and how to head off data leakage.

Exploiting Meltdown could let an attacker obtain usernames and passwords, which might be encrypted on disk, but would be in plaintext while ‘memory-resident,’ says Recorded Future.

Exploiting Spectre (which is harder to exploit than Meltdown but also the harder of the two to mitigate) would offer a similar cache of sensitive data, the threat intelligence firm warned.

‘No traces’

But the firm’s Allan Liska points out that there is ‘no way to detect these attacks’ (the current consensus is that they have not yet been launched) using traditional security methods.

“Exploits of these vulnerabilities will not leave traces in log files or unusual files on the system”, he said. “The best way to mitigate against these [potential] attacks is to apply vendor patches as quickly as possible.”

In one of many alerts it has put out about the vulnerabilities, chip giant Intel said that its aim was to issue updates for 90% of chips it made in the past five years by the end of the week.

Relevant patch releases or mitigation advice is now available from Amazon (for AWS) Apple (for High Sierra), Google (for Chrome) and Microsoft (for Windows, accompanied by an alert of a possible conflict with AV products).

‘Performance reduction’

But at the time of writing, warnings of a reported slowdown in systems due to the vendors’ ‘solutions’, of between five and 35 per cent are being issued.

Intel disputes this, as do the four companies.

“A reduction in performance is likely to be felt more heavily by cloud servers and processer farms than by individuals,” says Emma Stevens, associate solicitor on the IT team at law firm Coffin Mew.

“[This] may also result in grounds to claim against Intel in respect of its faulty product if this impacts on business. Providing a fix will assist Intel in limiting its liability to a certain extent, but it cannot avoid exposure entirely”.

‘Big vulnerabilities’

Meanwhile, Firefox has published a report stating that they too are working on a fix, as exploit code seems to show that an attacker could use Meltdown to expose usernames and passwords saved in Mozilla’s browser.

With more certainty, Mr Liska addressed the scale of the task, and therefore the lucrative opportunities, facing IT security specialists. “These are big vulnerabilities”, he said of Meltdown and Spectre.

“They have already impacted thousands of organisations around the world and will continue to create a great deal of work as systems are patched and mitigations are put into place.”

Sam Curry, chief security officer at Cybereason described the US research team as having uncovered a “very long running set of flaws that could mean the ability to exploit a lot of systems very deeply.”

‘Calm before the storm’

“The chip vendors are playing this calmly, but this is likely the calm before the storm,” Curry said. “We will very likely see sophisticated attackers exploit [Meltdown and Spectre].

“And don't be surprised if… a catalyst in the form of hack or research further heats this up and makes it a more clear-and-present risk in 2018.”

Cybereason believes “notice has been served,” meaning IT security teams must now “pay attention to the hardware and stop taking the solidity of computing's building blocks for granted.”

The firm also said: “Leaky abstraction is a phrase that comes to mind -- if you are an architect and don't know it, break out your Google search function.”

Legal action

Since the comments, Intel has been hit with three lawsuits relating to Meltdown, and faces accusations of deceptive practice, breach of implied warranty, negligence and unjust enrichment. 

According to a statement by ARM, some of its processors are also affected by Meltdown, yet it has been unclear since discovery if the vulnerability is on AMD processors, although the CPUs of all three companies (Intel,  ARM and AMD) are affected by Spectre.

The news comes as the House of Lords is moving to consider an amendment to the Data Protection Bill, with the effect that it would be easier for Britons to sue companies that mishandle their personal information.