Welcome to 2018. With the new year came new security vulnerabilities – Meltdown and Spectre. At first there was a general panic in the air. After all, the vulnerabilities are due to a defect in chip design (all chips – AMD, Intel, etc.) that goes back to well before the turn of the century. Browsers can be used to exploit these vulnerabilities. CERT initially recommended replacing everything. Not a very good common sense solution.
Are we really going to throw out every laptop, desktop, and smartphone that exists? There are billions of devices out there. As any CIO knows, the cost and logistical effort is worse than the vulnerability.
Well, the panic receded and companies and researchers got to work on software fixes that will mostly (but not fully) address the issue. Remember that the issue deals with how internal core chip data is managed in the kernel. The kernel memory is not supposed to be accessible to applications although the meltdown vulnerability could allow access by outside malicious actors. Spectre allows for attack strategies to get at the kernel memory as well. The hardware bios patches are intended to close this hole but could impact whether a processor works and how well it performs. The browser patches are intended to stop the attack vectors through the browsers.
If you are an owner of insurance technology ecosystems and are wondering what to do, the answer is patch. However, you should follow best practices. Make sure you have the most current patches (there will be different ones for different hardware and software from different manufacturers). Apply the patches in a test environment and test against your applications. Because we are talking about kernel memory, the likelihood of impacting applications is very small other than performance on application processor intensive tasks. Finally, apply in production and ensure you have a process to back out the patches if needed.
New year, new security vulnerabilities!
This blog entry has been republished with permission from Novarica.