On Thursday January 3rd 2018 Google announced new class of IT security vulnerabilities via their research team Project Zero. ClearPoint has been following developments closely as our many clients and colleagues will be considering the extent and potential impact of this announcement.
The vulnerability relates to a technique called “speculative execution” used in CPU architecture, in which the CPU speculatively executes instructions based on assumptions.
Google state that, “During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound and can lead to information disclosure.”
Researchers have successfully demonstrated vulnerabilities on multiple CPU manufacturers and architectures, that show a malicious actor could get access to privileged CPU memory through this approach. As there are many millions of CPUs globally, which underpin all IT infrastructure and devices, the potential ramifications are serious.
There was a noticeable impact on CPU manufacturing stocks, following the announcement, which is explained further here.
We are monitoring this situation closely, however, there are some key points you need to be aware of:
What you need to know
- This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices.
- This vulnerability is not new; it was discovered last year. Researchers have been working to verify and establish defense approaches in the interim
- To take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system. This is a technical class of attack requiring very specialised skills.
- CPU manufacturers and software suppliers will be releasing patches to mitigate this new class of vulnerabilities which may slightly degrade CPU performance.
- There are currently no known active exploits of this vulnerability
What you need to do
We recommend you actively watch for developments in this space and we will post further information as developments unfold. As per normal we recommend that system maintenance and patches are kept up to date, particularly as specific fixes for these vulnerabilities become available.
For those with cloud infrastructure, we recommend that you monitor the steps your infrastructure provider is taking to ensure that the vulnerability is being addressed.
As the New Year clicks over, this is a useful reminder of the layers, dependencies, and complexities of IT systems and the need to be continually vigilant and considered in your approach to Information security and IT governance.
We will keep you updated as relevant information comes to hand.
If you have any questions about this, please drop me a note at firstname.lastname@example.org
ClearPoint CTO & Co-Founder