Spectre and Meltdown: No ghost of a problem
Many of our customers are already aware of the Spectre and Meltdown vulnerabilities in modern microprocessors that were revealed in the last day, and many have asked us what they should do in response.
Eve Moneypenney: So what's going on James? They say you're finished.
James Bond: And what do you think?
Eve Moneypenney: I think you're just getting started.
First, the bad news is that everyone must apply the required operating system patches for this vulnerability, and it will likely negatively impact application performance. The performance impact will continue until microprocessor vendors come up with good fixes and release new hardware – and this will likely take significant time.
However, delaying deployment of these patches would be a serious mistake – the security impact of the vulnerabilities in question is substantial and exceptionally dangerous. Whilst it is our recommendation that operating system vendor patches are applied as soon as possible, we also recommend in the strongest terms that no-one should assume that systems residing behind firewalls are safe.
The good news is that all major cloud providers (Amazon, Google, and Microsoft) have already patched their own infrastructure, and there should be no worry of added vulnerability from running on a public cloud platform over running on your own hardware. There may be a significant performance impact in either the cloud or physical infrastructure case, but in the cloud environment, this can be mitigated by spinning up additional virtual machine instances if needed (and indeed many may find that auto-scaled systems have already done so), which is difficult to do in a physical data center.
Processor vendors and cloud providers may face significant financial impact because of this vulnerability, but that is only of indirect interest to our customers. Almost everyone with physical infrastructure is ultimately likely to need to do a hardware refresh as a result of this vulnerability; organizations like AWS, with enormous investments in physical hardware, will feel that impact most acutely.
However, this set of vulnerabilities should not significantly alter the outcome of decisions regarding cloud vs. physical infrastructure. Indeed, the advantage of third party managed cloud environments is that the vendor is responsible for rolling out new hardware (and has a strong commercial incentive to do so).
As for the security impact, it should be noted that this is likely not the last we will see of this problem. The Spectre attack, in particular, is quite general and will doubtless lead to announcements of additional vulnerabilities in coming weeks and months. Proof of concept code that allows in-browser exploitation (including theft of passwords and keys from other browser tabs) has already appeared, and may result in high priority patches to browsers in the near future.
It is not clear what the long-term hardware fix for the problem will be, and it will take quite some time for Intel, AMD, ARM, and other vendors to come up with permanent solutions to this side channel attack. Even once such solutions are designed, hardware will take long periods to design, manufacture, and ship.
The message for you to take away is that the situation may get worse before it gets better, and we all must remain vigilant about monitoring the security situation and deploying additional patches and mitigations as they appear. Now is the time to make sure your patching and vulnerability management processes are in great shape.
(Full technical details of the attacks may be found at https://spectreattack.com/)
Written by Chris Buckley and Perry E. Metzger.