The start of January saw revelations of hardware bugs in micro-processors, named Meltdown and Spectre. This incident provided a fresh perspective on micro architecture, as well as the problems in patching them.
Infosecurity recently met with David Dufour, senior director of cybersecurity and engineering at Webroot, who called the bugs “fascinating” and said that while it was something we should not be proud of, from an engineering perspective, it was particularly bad.
“With Meltdown we’re going to be reasonably okay as there is a software solution for it, but Spectre is a family of problems and we’re going to see issues with Spectre for years to come, most likely. As it is AMD, ARM and Intel you could make the argument for IoT, especially depending on the ARM chips that are affected.”
After the disclosure, the race began to fix the bugs and one survey claimed that up to $50,000 and 20 hours could be spent trying to remediate the issues. Dufour acknowledged that the issues are hard to execute and the problem will be that there are chips out there on devices that unpatchable – because of the way that they were built, hence the potential vulnerabilities in IoT.
“Maybe they are sitting embedded in concrete, no one knows, until someone makes money from hacking them and I don’t think it will be too widespread, but I think it is something we’ve got to watch.”
He explained the basics: that Meltdown had the ability to read a page file in memory, and as most hacking involves getting access to memory an attacker would need to and write something to it to execute it. “With Meltdown it was more about being able to steal information off the page file; I don’t think anyone has shown that they could actually read from the page file.
“Spectre was a little bit different as it was a family of issues and we don’t exactly know what is going to come out of that, and there is no software fix so we are going to have to patch that one at a time as issues arise. With Meltdown there is a pretty holistic solution.”
When patches began to be released, there were reports that Microsoft had suspended patches after they caused machines to crash, despite the update containing countermeasures against both the Meltdown and Spectre attacks. The update also caused some computers running anti-virus software to spontaneously crash because the security programs aren’t compatible with the fixed system, leading to researcher Kevin Beaumont keeping a spreadsheet of which endpoint vendors had adapted to Microsoft’s update.
The update on Webroot’s SecureAnywhere product stated that the update did not set the registry key, and that the patch was supported. Dufour said that the bugs were not a big deal for the company as it is more focused on online threats.
“On the week of January 4 when this came out I came back to the office and everyone was in a panic saying ‘we have to get a fix out.’ So I said that they had to understand that our software is not going to fix this problem and we need to be communicative about that as we provide security solutions, but not hardware operating system security solutions,” he said.
“So, my point here is don’t think that your anti-virus is going to fix this; yes you’re probably exposed and your exposure is probably not that great, but you should just be vigilant and this comes back to patching stuff.”
He acknowledged that patching does cause problems for larger businesses with large IT suites in comparison to smaller businesses, but he said in the immediate aftermath he spoke with reverse engineers trying to figure out who could make money from these bugs, and if that could not happen then “it is probably a blip.”
Dufour admitted that some issues “get sensationalized” as with cases of stunt hacking, but he said that these are not really practical attack methods as so many require physical access, such as with the Mac security bug in November 2017.
“As an engineer, if I had the ability to promote my permissions I would not be monkeying around on anti-virus software, I would go straight at whatever I wanted to attack at that point.”
Dufour admitted stunt hacking was worthwhile but it was not worth “the big hubbub as that is a disservice to the public,” and we should be aware within the industry as we can deal with it, and not scare people for no real reason.
Hopefully these issues, and other similar instances of hype, prove how widespread some issues are in cybersecurity, but keeping a lid on the panic is important.
Join Infosecurity Magazine’s webinar ‘Beyond the Hype of Meltdown & Spectre: How to Patch, Fix or Replace Flaws & Bugs’ on Thursday February 15 at 4pm GMT/11am EST – register here