By George Pagel
Earlier this year, researchers discovered a critical vulnerability in modern computer processors. Dubbed Spectre and Meltdown, the flaws allow hackers to access privileged data from other running programs.
The problem is so widespread that it affects nearly all computers and mobile devices in use today. What’s more, if hackers do manage an attack, it might not be possible to detect exploitation.
Programs that run as one user are not usually permitted to read data from other users’ running programs. But Spectre and Meltdown leave a door open to get in, using a processor technology that has paved the way for many recent performance gains (multithreading). With the right attack, a user could exploit the flaw to access other users’ sensitive information. At risk could be passwords stored in a password manager, credit card information stored in your browser, emails and private customer information.
Who Should Be Concerned?
The effects of this vulnerability are most troubling in co-housed cloud or virtualized environments where other applications run on shared hardware. Specifically concerning would be sensitive information processed on a cloud provider’s unpatched server.
Fixes to the microcode kernel for operating systems are available but, in many cases, they come with performance costs. However, performance hits should be considered a warranted trade-off for highest security operations where secrets under no circumstance can be let out. Certificate authorities, core banking servers, encrypted email servers and online banking are good examples of the high-security targets to consider patching for Spectre and Meltdown.
No Malware … Yet
Exploitation of this vulnerability is complicated and would require a high level of expertise. Researchers have published proof-of-concept code demonstrating that an attack is possible, but no malware has been discovered “in the wild” yet.
That doesn’t mean your business is safe from an attack; what it does mean is that you still have time to bolster your defenses. Take steps to patch your systems and make sure your cloud service providers and third-party infrastructure vendors are doing the same — and if they haven’t notified you that they’re implementing patches, be proactive and ask them. Weigh the cost of reduced performance on heavily used applications versus the secrets contained in those applications and how your business would be affected if they got out.
Researchers continue to discover new ways that Spectre and Meltdown can be exploited, and manufacturers use that information to prepare essential patches. Be assured that malicious hackers are also working on attack scenarios. With the bitcoin market’s recent, continued drop in value, ransomware hackers who are seeking bitcoin will focus elsewhere — and your secrets may be next.
How to Take Action
Protecting your business against the Spectre and Meltdown vulnerabilities is possible with the help of experienced specialists. Reach out to the Wipfli cybersecurity team if you need assistance or would like to discuss these vulnerabilities further. We also recommend contacting your cloud service providers and third-party infrastructure vendors to inquire about fixes they’re making and the steps they’re taking to secure their systems.