Now that we’ve had half a year to process the Spectre and Meltdown flaws released in January, what’s been done about it? Are we now “safe” or are there other CPU flaws out there that we just don’t know about?
Unfortunately, there’s always the risk of as-yet unknown vulnerabilities that could be exploited for malicious purposes. But in the meantime, security researchers and other organizations are working hard on fixes to make the Internet (and in this case, computer architecture itself) a safer place. Here’s what they’ve been working on so far:
- After Spectre and Meltdown were announced, researchers scrambled to investigate CPU chips to see what else was out there. One of the first discoveries made as a result of Spectre and Meltdown was BranchScope, a flaw found in the Branch Target Buffer within Intel processors. This vulnerability leaks information based on previous decisions made by the branch predictor (the original problem with Spectre).
- There are have been a few side-channel flaws, which means that the problem comes from the implementation of the computer system rather than any algorithms it uses (e.g,. software bugs). One of these is a flaw in Intel Core-based processors’ Lazy FP state restore feature. Essentially, this dictates how the CPU saves and restores floating point unit data. How does this affect users? The flaw can be exploited to leak data and other CPU processes. It’s a similar flaw to Spectre, but less severe.
- Even though Intel has come under the most scrutiny as a result of the CPU vulnerability discoveries this year, rival maker AMD has not been left unscathed. Researchers announced in the spring that there were 13 critical vulnerabilities and backdoors found in AMD Secure Processor firmware and Promontory chipsets.
As if that weren’t enough, two new variants of Spectre were announced last week, Spectre 1.1 and 1.2. These new variants can be used to overflow the CPU’s store cache buffers and override read-only PTE flags (Page Table Entry flags, which are part of the memory of the chip) to write any new code to CPU memory.
This may sound like things have gotten worse, not better. But with the disclosure of the original bugs, it’s only natural that security researchers hunt out all the ways to exploit them so that patches can be made as soon as possible to prevent bad actors from taking advantage.
How to combat CPU and other vulnerabilities
Patch, patch and patch. Intel and Google released patches for both Spectre and Meltdown back in March, and they’ve shown to have less impact on performance than originally thought. We can’t emphasize enough about the importance of keeping your systems patched and up to date. As new flaws are discovered, fixes are made and rolled out to keep end users protected. According to a Ponemon survey, more than 60 percent of data breaches reported were due to an unpatched vulnerability, and of those business, 34 percent knew they were vulnerable and did nothing. Not good!
Some helpful advice: If you feel overwhelmed by the sheer number of vulnerabilities and patches currently out there, take a moment (or a few) to prioritize and patch rather than going about it willy-nilly. Focus on the zero-day vulnerabilities that have already caused data breaches in companies similar to yours. If you aren’t running the latest operating systems, (a Spiceworks survey found that 14 percent of businesses still run Windows XP) you should be more diligent about your patches.
Another tip is to invest in a SOC 2 audit. This type of audit takes a deep dive into your current security controls and will identify any extra measures you should take to protect yourself. If you use a third-party data center provider (or are considering a new one), make sure they have completed a SOC 2 audit and can provide the independent auditor’s report to prove it.
Did you know that Online Tech has been audited against 174 SOC 2 control criteria and had no exceptions? We can help you with your audits, too! Check out our SOC 2 resources or contact us to see how we can help you become SOC 2 compliant. We also offer comprehensive security services, including patch maintenance for our cloud and managed colocation clients.