There is a common cycle when new vulnerabilities are announced. The security conscious among us find out what software is affected, what the vulnerability enables cyber criminals to do, and we’re warned to apply patches to the software and keep up good security practices. But two recently-disclosed vulnerabilities have served as a warning that even the fundamentals of our connected world are vulnerable – down to the physical hardware.
On May 21st, two new variations of the Spectre and Meltdown vulnerabilities were disclosed. Although there have so far been no reports of the vulnerabilities being exploited, they could enable attackers to gather sensitive data from multiple types of computing devices. Components from numerous vendors are affected, including Intel and ARM CPUs.
Both newly discovered side-channel vulnerabilities, CVE-2018-3639—identified as a Speculative Store Bypass, and CVE-2018-3640— identified as a Rogue System Register Read, are similar to the Spectre and Meltdown vulnerabilities that were first publicly disclosed in January 2018, the CVE-2018-3639 Speculative Store Bypass is something new.
While the previously discovered Spectre and Meltdown vulnerabilities allowed attackers to access information outside of established security boundaries, the new Speculative Store Bypass CVE-2018-3639 can allow older values of memory to be visible (and therefore vulnerable) to an attacker, thereby posing a threat even to data that has since been encrypted or deleted.
So what organizations do to mitigate these vulnerabilities, and cut the risk of attack? Affected vendors have issued their own advice. Intel has been keen to emphasise that there are multiple ways to safeguard systems that are available for use today. The company’s statement said that most leading browser providers have recently deployed mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser.
Intel has also released updates to affected vendors providing a means for system software to completely inhibit a Speculative Store Bypass from occurring, and has also issued a firmware update for some of its chips, with another to follow soon.
Operating system vendors such as Microsoft have released updates which should be applied. Mitigations from browser vendors such as Mozilla, Apple and Microsoft that can limit the risk these new issues pose have been available since January.
Microsoft advised that it is working with affected CPU manufacturers to assess the availability and readiness of new hardware features that can be used to resolve these vulnerabilities. These may require a microcode or firmware update to be installed, but the company hopes to release a mitigation that leverages the new hardware features in a future Windows update.
This discovery serves as a wake-up call. While these newly announced vulnerabilities have not yet been known to be exploited, they emphasise that attackers have access to far more than just our applications. Anyone with data to safeguard must be constantly alert and maintain high security standards at all times because, as we increasingly discover, anything that can be exploited, will be exploited.