Foreshadow has joined Spectre and Meltdown on the list of Intel’s announced chip security vulnerabilities this year.
Intel announced the vulnerability and released a well-produced video explaining the lapse and recommended fixes. While Intel’s response to Spectre and Meltdown earlier this year was disparaged by some as inadequate, their response to Foreshadow has been more favorably received. In the case of Foreshadow, Intel got out front and announced the flaw themselves.
Foreshadow (also known as L1TF) is a vulnerability that is seen in several variations. The potential window for hackers can be found in the CPU’s L1 data cache, which is essentially a small “memory bank” that helps determine what instructions the core will execute next. Intel says that in certain “virtualized environments” controlled by a bad actor, these vulnerabilities could be exploited.
Intel’s video admits that the vulnerability is tough to understand.
It “sounds complicated, and it is,” Intel says in its mitigation video. Intel advises that “staying current with all recommended security updates” is the best fix.
Daniel Gruss was one of the researchers who initially found the Spectre flaw, working with colleagues at Graz University of Technology in Austria. Gruss worked around the clock to cement his findings. So the most recent news doesn’t come as a surprise.
“I was first surprised that Intel came forward with L1TF. But after thinking a bit about it, it became clear that this was the most plausible way. If they would have kept it secret for now, it would have blown up in the media much bigger than it now has,” Gruss tells Smarter MSP.
What does Foreshadow mean for MSPs?
Intel calls the risk of a breach low, and a bad actor would really have to know what they were doing. But, the risk is there, and the patches should be implemented. The larger issue is chip security as a whole and whether these things will continually crop up. Most researchers say they will.
Gruss’s advice to MSPs is simple: “Timely applying patches as they appear.”
Yet, that may not be good enough in the long run. Gruss says researchers simply don’t know enough about how effective the patches actually are.
Applying patches as they appear might not be good enough in the long run to keep up with chip security vulnerabilities @SmarterMSP
“You cannot keep any secrets on the system anymore until patches are applied. Yet, currently, it is not clear how complete the protection by the patches is,” Gruss says.
That is troubling to Gruss and other researchers.
The patch for Meltdown is called Kaiser (KPTI), and that has been effective, Gruss says. But the patch for Spectre he isn’t as confident about.
“The patches for Spectre protect against some attack scenarios, whereas other scenarios are completely ignored,” Gruss says.
“To me, it is not clear why some are silently ignored,” Gruss says.
Vulnerabilities might not be getting ignored; they just may not have fixes yet. Intel knew about Spectre and Meltdown before researchers homed in on them, but Intel didn’t call them to the public’s attention because they didn’t have fixes. Perhaps this is the case here.
Tip of the security iceberg
Dr. Seth Hammon is the director of the Center for the Advancement of Cybersecurity at Cedarville University in Ohio. The roots of the chip security problems go back to the earliest days of laying our electronic ecosystem, he tells Smarter MSP.
“Security was not an important concern when the foundations of computer technology were laid, and so there are many deeply entrenched vulnerabilities out there,” Hammon says. Spectre, Meltdown, and Foreshadow are, Hammon fears, just the beginning.
“It is not surprising that there have been a slew of chip flaws lately. It was pretty clear that Meltdown and Spectre were just the tip of the iceberg that opened up brand new vistas into potential vulnerabilities,” Hammon says, adding that researchers started to focus their efforts more on that class of vulnerabilities after the gravity of Spectre and Meltdown became apparent.
With billions of chips in systems across the world, Foreshadow may simply be foreshadowing more problems ahead. MSPs need to stay on top of the most recent security fixes, or sophisticated of bad actors could find a way in.
Photo: Evdokimov Maxim/Shutterstock.com