Hardware problem sparks more software updates

More details of the privacy-threatening Meltdown and Spectre flaws were released last week, with security experts warning that, although the worst may be over, further variants to the growing family of CPU-related bugs are likely.

Intel released microcode updates to defend against CVE-2018-3639 – Speculative Store Bypass, Spectre Variant 4, previously known as Spectre-NG – and the less serious CVE-2018-3640, Spectre Variant 3a flaw.

Both of the security vulnerabilities are related to attacks first disclosed in January 2018 and are exploited through a side channel. Exploitation, however, is difficult and no attacks have actually surfaced.

The hardware-related bugs create a possible mechanism for miscreants to read secrets from protected kernel or application memory through malicious JavaScript or similar trickery.

The attack stems from a fundamental design problem involving the speed of modern microprocessors – called speculative-execution – which gives rise to long hidden security exposures in practice.

Google Project Zero's Jann Horn, a member of the researchers who revealed the earlier Spectre and Meltdown bugs, and Ken Johnson of Microsoft, are credited with the work that uncovered these latest problems.

Processor cores from Intel, AMD, and Arm – the world’s biggest maker of smartphone and tablet processors – as well as many IBM CPUs are all affected. Cloud deployments may also be at risk.

While the problem is rooted in hardware, the fixes involve software updates.

Ghost in the shell

Spectre Variant 4 means that script files running within a program – such as JavaScript in a browser tab – might be able to snaffle sensitive information such as personal details from other browser tabs.

According to Intel, mitigations released back in January should make attacks targeting Variant 4 much more difficult.

"Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser.

“These mitigations are also applicable to Variant 4 and available for consumers to use today,” explained Leslie Culbertson, Intel’s executive vice president and general manager of product assurance and security, in a blog post.

Spectre Variant 3a creates a rogue system register read, which allows unprivileged programs to steal a look at hardware status flags – an undesirable, but far less threatening risk.

Beta updates

Intel and other CPU makers have published microcode updates for these flaws, and
both computer manufacturers and system software makers are in the process of testing in order to pack them up as firmware updates and patches.

These updates might be disabled by default because, although the threat is low, updates result in a performance hit of between two and eight per cent, according to Intel.

Difficulties with previous Spectre fixes may be partly responsible for the decision to release the latest updates as a beta.

“From what I can see of the potential exploits, multi-tenanted systems could be the ones that have the most to lose,” Professor Alan Woodward of the University of Surrey told The Daily Swig.

“If you’re sharing your CPU with someone else and your data is heed off to a non-secure area of local memory, then it looks like it could be collected by others. Of course, it assumes the underlying OS can be infected somehow to hover up the bits and pieces left in insecure areas. That’s not so trivial in modern hypervisors as they tend to be minimal in their own right and thus more difficult to infect with malware.”

“If someone figures out how to use the underlying OS, then the guest OS can have all the security in the world, but it won’t help. Hence, I imagine those who will be patching first with be the providers of the cloud systems.”

Professor Alan Woodward added that although exploitation would be far from easy, this doesn’t mean that the issue can be safely neglected.

“The more likely consequence is that there may be performance degradation once speculative execution is inhibited,” he explained. “We’ve not seen huge impacts in these environments from the patches for Spectre and Meltdown so far, despite some dire warnings. I suspect what will happen in cloud environments is that more resources will simply be applied: one of the benefits of using a cloud environment.”

Rodney Joffe, SVP and Fellow at security vendor Neustar, commented: “The latest announcement regarding the newest vulnerabilities related to Spectre indicate that the core chip vulnerabilities are going to continue and are not over. Organizations need to be prepared to deal with further attack announcements and for continuous patching.”

Linux maker has put together a video explaining the issue.