agsandrew - stock.adobe.com

Meltdown and Spectre: to patch or not to patch

As IT recoils from the Spectre and Meltdown chip exploits, companies face patches that are incompatible, leading to crashes, reduced performance and lock-ups

Since the Meltdown and Spectre processor flaws were discovered by Google’s Project Zero team at the start of January, the IT industry has begun releasing patches and hot-fixes to provide a level of protection against potential exploits.

study based on anonymised and aggregated data from devices across the public, private and third sectors, managed by the IronWorks mobile management system, found that only 4% of mobile devices have security updates for the Meltdown and Spectre exploits installed.

The downside of patching is that some applications and services could take a performance hit as the patches tend to switch off the specific processor optimisation that is at risk of being exploited.

For enterprise IT, and the world of industrial systems also affected by Meltdown and Spectre, the security patches being released from companies such as Microsoft, Intel, AMD and ARM are interim measures, and some are causing incompatibility issues. This has the potential to make the patching of IT and industrial systems even more complex and time-consuming.

In the long term, the fixes will be rolled out in new chipsets by the hardware manufacturers – but this will take years.

Even when the new generation of secure chips is released, with normal computer hardware refresh cycles for most organisations of between three and five years, it could be a long time before all systems are free of the flaw.

“For companies with ageing hardware, patching could be an option, but it would be dependent on how quickly the new chipsets can be developed, tested and released for production usage,” said Bharat Mistry, principal security strategist at Trend Micro.

The challenge facing industrial systems

Given that Meltdown and Spectre are microprocessor vulnerabilities, their effect is not limited to smartphones, tablets, personal computers and servers. Network appliance and storage manufacturers that use chips containing the flaw are in the process of rolling out patches. Embedded systems will also need patching.

It has been widely reported that Microsoft’s Windows update for Meltdown and Spectre affected a number of software products, such as Rockwell’s FactoryTack human-machine interface tool, which experienced anomalies.

Given that Meltdown and Spectre are microprocessor vulnerabilities, their effect is not limited to smartphones, tablets, personal computers and servers

“Potentially any device that uses the affected chipsets from Intel, AMD and ARM will be open to the vulnerability,” said Mistry. “For IoT [internet of things] devices, smart TVs and set-top boxes, the main worry is violation of privacy, especially if a threat actor can take over the device by extracting usernames and passwords.”

Mistry believes the risk to point-of-sale terminals and cash machines could be much greater. “Malicious code can be used to intercept and manipulate data paths for illicit gain.

In a blog post, Chris Grove, director of industrial security at Indegy, wrote: “Many systems that support industrial controllers such as automation systems, batch control systems, production control servers, printers, OPC Systems, Scada systems, peripheral devices, and IIoT [industrial IoT] devices including cameras and sensors, are most likely vulnerable.”

Grove warned that the challenge for many businesses was identifying which control systems might be affected.

Fortunately, not every device will be affected by the processor flaw. For instance, barcode reader manufacturer Denso, part of Toyota, issued a statement saying its handheld devices do not make use of the specific processor optimisation that Meltdown and Spectre exploit.

Read more about Spectre and Meltdown

Other companies have been directly affected and will need patching, but some of these patches are causing malfunctions.

“Many of the initial mitigations proposed by hardware and operating system suppliers indicate a high level of potential performance impact,” warned Schneider-Electric, which recommended caution if applying mitigations or patches to critical and/or performance-constrained systems.

UK industrial systems company Wonderware issued the following statement: “Customers running the Wonderware Historian software should not apply the Microsoft patch. Issues have been found with the Historian System Driver.”

The future of microprocessor flaws

There are a number of factors that limit the potential risk of Meltdown and Spectre. First, an intruder needs to attack a system known to have the vulnerability. The intruder also needs physical access to the vulnerable system, and needs to have the ability to install and run an exploit on that system.

These will limit the potential damage that exploits of Meltdown and Spectre could cause. But given that they represent flaws which compromises the microprocessor itself, one of the issues the industry now faces is that microprocessor flaws will become a new attack vector for hackers. 

The industry’s answer to this new risk, based on how it has responded so far to Meltdown and Spectre, is far from satisfactory. Patches are being issued, but many users are not updating their smartphones and some patches are causing software to break down.

Due to its very public nature and its effectiveness, Rik Ferguson, vice-president of cyber security research at Trend Micro, expects security researchers to continue to probe microprocessors with greater zeal.

“Spectre and Meltdown have been a graphic, highly publicised and widespread example of why the very limited ecosystem of microprocessors is ripe for research and exploitation,” said Ferguson“Processors occupy a privileged position in computer architecture, and flaws in this area, particularly flaws that can be remotely exploited, will prove to be very valuable indeed.”

Read more on Chips and processor hardware