Spectre and Meltdown a have been with us for just over a year now and even with all the predictions of dire consequences, we have yet to see any in-the-wild code snippets or attacks beyond theoretical POCs. So the question to ask is whether we should be losing a lot of hardware performance (most of the associated mitigations have performance impacts) for the sake of potentially theoretical security issues.
I recently had a chat to a client about in what order vulns should be mitigated in their organization and what strategy to use in optimizing patch deployment. Admittedly the most popular, and common option is to approach this from the view of criticality. It’s rated critical so we should fix it? Well, not necessarily: there are many variables which impact the potential order of fix for your specific site or organisation. Factors like nature of systems, impact trend of the vuln, age and type of vuln, type of application, patching intervals, is it remote exploitable, reach and platform types can factor in more than just the CVSS score.
This class of CPU architectural issues is a specific case in point. Yes theoretically it’s possible to perform the exploits but have there been any practical implementations yet? No? So do we really need to patch? When there’s large costs associated with critical data loss and compromise, the choice is a difficult one and cuts a fine line.
And this class of exploit is not slowing down. A new Intel-focussed vuln called MDS (that apparently does not affect ARM or AMD platforms) comprising 4 related techniques was released in mid-May, the 3rd such announcement this year already.
Side channel attacks seem to be a dime a dozen these days, but again, this vuln (or class of vulns) is listed as being complex to exploit and possibly as theoretical as all the others have been. Apple’s immediate response was to switch off SMT (commonly know as hyperthreading) which results in an approximate 40% performance hit. As was Google’s response for Chrome OS. I can just see Homer saying “Duh?”.
Disabling HT/SMT by the way, does not completely mitigate MDS …
Once again, mitigations include hardware, firmware microcode and software/OS components, all of which need to be aligned to get full protection. Notwithstanding patching strategies and other blockers in rolling out co-ordinated fixes like this, what will the practical reach be for these patches? Servers will languish with delays and desktops (and other IOT devices) may never even get the firmware fixes.
So it’s all a bit wishy washy at the moment. Time for some risk analysis.