Chip-level exploits: What you need to know
NOT every day do we learn that around three billion technology devices are in danger of being compromised. But that is the news currently spreading around the world, as four separate security teams revealed within a few days of each other.
The nature of the flaw, to be found in processor chips by AMD & Intel and also on ARM chips made by various manufacturers, is one which allows specifically-written code in one application to be able to see data being used by a quite separate application.
What is worse is that in today’s computing environments, such as those found on shared cloud services provided by Google, AWS, Microsoft et al, that means an application running on a virtual server owned/rented by company X can read data owned by companies Y and Z.
The two flaws (named Meltdown and Spectre by researchers) are thought to be around 20 years old and have not been exploited “in the wild” for all that time. But, like all malicious tidbits and methods, the know-how to use them is being passed around the Internet to anyone who wishes to use it.
This old logo suddenly seems relevant again. #Meltdown #spectre pic.twitter.com/FkU0SnGUHf
— Damon Cortesi (@dacort) January 4, 2018
And while the potential scope of the exploits in sheer terms of numbers is mind-blowing (so many devices are run by computer chips these days), the standard advice of update and patch may not be being followed.
The big cloud platform suppliers are already updating their susceptible systems (although both Amazon and Google, to name but two, have denied their systems are unduly affected), and some system administrators and IT professionals may well be doing the same.
Usually, when updates or patches are released, careful IT professionals will run the new code in test environments to make sure enterprise systems are not negatively affected. And in this instance, advice differs: some say to update-and-be-damned, others say the potential for data loss caused by the patches themselves is too high to risk.
According to Ben Johnson, co-founder of cyber-security startup Obsidian (as reported by Reuters):
“If you start applying patches across your whole fleet without doing proper testing, you could cause systems to crash, essentially putting all of your employees out of work.”
Ironically, it seems that the software updates cause some popular antivirus programs to crash, producing the infamous Windows “blue screen of death” in some instances.
There are two further factors which should be kept in mind. First, the exploit makes use of a chip-level method of speeding up processing called “speculative execution”. Patching systems removes this method, and potentially slows down processors and the apps which run on them.
Impact of patching #Spectre #Meltdown on #StorageSpacesDirect! A loss of almost 600k IOPS! Benchmark is random 100% read @ 4K blocksize pic.twitter.com/CCL3Bf61Qh
— Ben Thomas (@NZ_BenThomas) January 8, 2018
Second, the “flavor” of the potential security breach called Spectre is best obviated by using up-to-date browsers which have been patched by their creators. Updating a web browser poses less risk, in some cases, than an OS update – but does not negate the chances of being compromised completely.
As ever, Tech Wire Asia‘s advice is to test, test and test again before application of any update, but do so in a timely manner. In this case, as in most where cybersecurity is potentially compromised, work should be quick, but not hasty.