This week news reports disclosed two earth shattering vulnerabilities dubbed as Meltdown and Spectre, that collectively impact almost all processors made in the last 20 years. The Meltdown vulnerability already has exploit tools available for hackers to use to compromise corporate networks that remain unpatched. The Meltdown vulnerability is specific to most Intel processors manufactured since 1995. The Spectre vulnerability is much more problematic and difficult to patch and will likely present ongoing future problems for years to come. Most companies should be scrambling to ensure emergency patches released off cycle earlier this month by Microsoft have been fully deployed. End users that use Chrome as their browser should confirm they are running Chrome 63 or later which helps protect against these exploits.
The type of vulnerabilities these threats represent can lead to cloud hosted services in virtualized environments having data from one virtual machine escape to another virtual machine across distinctly different companies that rent a virtualized server on a shared host computer. This happens because vulnerabilities in how the processor uses memory can result in exploitation and running of untrusted code, causing memory leaks to other processes on a machine, leading to side channel exfiltration of sensitive data. A hacker using exploits targeting the Spectra bug could take over and own an entire computer if the device is not patched. Platforms like Amazon’s AWS and Google Cloud let companies distribute a single program across many thousands of data centers around the world, and could fuel massive problems for neighboring cloud hosted virtual computers if unpatched. Virtualized cloud computing had brought the promise of segregation of virtualized computers managed in the cloud, but the promise that resources would be segregated is essentially undermined by these new vulnerabilities that impact the root microprocessor chips, which can allow for cross pollination/contamination/exfiltration of data.
The good news is that many of the popular Cloud servers such as Amazon, Google and Microsoft have all immediately began deploying patches against the Meltdown attack, suggesting those cloud hosts have mitigated the problem being reported today.
Until microprocessor firmware security is fully addressed by the chipmakers, we will continue to experience patching fire drills such as the one currently being experienced.
Earlier last year on April 28th, 2017, I provided the keynote presentation to IIT’s Forensecure Conference and discussed the problem relating to insecure backdoors and vulnerabilities with the Intel microprocessor. Intel later admitted they had a problem, but falsely claimed this only impacted business computers. A couple of months ago, specific details regarding how to exploit the Intel processor supervisory Minix OS were detailed by researchers which I reported in my blog post dated November 14th, 2017. Roughly two weeks later, Brian Krzanich, the CEO of Intel exercised and sold off $24 Million in Intel Stock around November 28th, 2017. It is notable and concerning that he sold off all of his holdings to the maximum allowed by his agreement with Intel, leaving him holding the minimum 250,000 shares his employment agreement requires he holds. I suspect the SEC will come knocking on his door soon, as will shareholder and class action lawsuits.
Today’s news reports confirm my earlier suspicion that all Intel chips have issues rendering security of those systems highly susceptible to remote take over and compromise. Google researchers had informed Intel back in June of 2017 of their discoveries relating to the Chipset vulnerabilities impacting Intel. The public is only now become more aware of this issue, since there are finally fixes available to vulnerabilities that impact the last 20 years of Intel produced microprocessors.
If you haven’t already done so this week, check your computer and see if any updates are available to apply. Note: if you are running Anti Virus programs other than Windows Defender, the Antivirus program may prevent you from applying these important patches, since many of those Antivirus programs are not yet compatible with patched Intel processors.
Tune in next week for more tales of our world of cyber insecurity!