By Chris Goettl
2018 started off with a similar level of excitement concerning the Spectre and Meltdown vulnerabilities — Spectre Variant 1 (CVE-2017-5753), Spectre Variant 2 (CVE-2017-5715), and Meltdown Variant 3 (CVE-2017-5754) — which surfaced late in 2017 but really started to affect us in January. These vulnerabilities are fortunately very difficult to exploit, so while many proofs-of-concept have been created and a lot of research has been done, we have not seen an attack in the wild exploiting them yet.
CPU vendors Intel, AMD and ARM began the effort of investigating and providing mitigating firmware updates for the speculative execution, side-channel vulnerabilities. Unlike a software vulnerability, the Meltdown and Spectre variants are hardware flaws which can only be mitigated. Fixing the flaws will take a physical architectural change to the chip designs, which will take much longer.
As CPU vendors have been working to provide firmware updates to mitigate the exploits, OEM vendors have been creating software updates to change the behavior of operating systems, security software, and many other products to ensure that the change in behavior at the CPU level does not affect the user experience or functionality of the OS.
Meanwhile, Microsoft and several other vendors provided software updates to implement the mitigations. These updates were complex to execute because they required both deployment of the software update and registry changes.
To add to the confusion, antivirus vendors had to provide compatibility updates to their software as interactions with the Microsoft mitigations resulted in the dreaded blue screens of death. Over the past months Intel and AMD have provided multiple microcode changes to fix these firmware issues, which are all processor dependent. Applying all these updates from multiple vendors has been a challenge for every IT team, and it isn’t over yet.
CVE-2018-3639 was discovered on May 21, introducing a new variation called Speculative Store Bypass. On June 13 another speculative execution, side-channel variant was discovered, known as Lazy FP State Restore. With each new variant, new firmware updates, software updates, and mitigation features are being introduced.
Based on the current trend, it is very likely that we will see more variants and subvariants of Meltdown and Spectre vulnerabilities before this is over, and final resolution in the form of a chip architecture change may be a long time coming.
What to Watch for the Rest of the Year
Now that we are halfway through the year, some trends have surfaced.
For one thing, looking at the vulnerability data source site CVE Details, it’s clear that there are more vendors taking security seriously. For instance, Qualcomm, the manufacturer of the Snapdragon processor that is in so many of our mobile devices and other technologies today, has been resolving between 1 and 8 CVEs per year since 1999.
In 2018 they have already resolved 268 vulnerabilities, putting them in the #5 spot behind:
- Google (#1 with 349 CVEs)
- Microsoft (#2 with 341 CVEs)
- Oracle (#3 with 299 CVEs)
- Debian (#4 with 296 CVEs)
While these four vendors are not a surprise, the fact that Qualcomm has jumped from a lifetime 53 CVE total to 268 so far this year begs a few questions. Has Qualcomm been resolving more vulnerabilities than were disclosed for all these years or are they focusing more on security than in previous years in this new Spectre/Meltdown world we live in?
Software vendors you might never have heard of before, such as ImageMagick and Blender, are popping up in the top 50 products lists. Could this be related to the popularity of their tools and software drawing more attention from security researchers? But why the shift and why so dramatic? ImageMagick had a sudden shift from a lifetime 62 CVEs to a whopping 357 CVEs resolved in 2017. They are currently #22 on the CVE Details 2018 top 50 vendors list with 40 CVEs resolved.
Adobe typically sits pretty high on the top 50 vendor and top 50 product lists, but this year one of the PDF alternatives, Foxit, has overtaken them in total CVEs resolved. I expect that this will change shortly. According to CVE Details, Adobe has resolved just 82 CVEs so far, but they recently released another round of updates, including one for Adobe Acrobat and Reader (APSB18-21) that resolved 104 additional CVEs.
So, while Foxit currently holds the #13 spot on the top 50 vendor list with 101 distinct CVEs, Adobe may overtake them once the CVE Details database catches up. This is an ironic trend arising because PDF alternatives have become more popular in light of high security concerns around Adobe software.
At this stage of the year, here are some things to watch out for in patch:
- Firmware management is a rising concern. From CPUs to GPUs and routers to modems, we have seen increases in vulnerabilities in hardware over the past few years, and in 2018 the escalation is rapid.
- If you think turning to alternative software titles is going to protect you, think again. The alternative vendor will have security flaws of their own. And as their product grows in functionality and draws attention from security researchers, more of those security flaws will crop up — just as we are seeing in the PDF world.
- Any software title on your network poses a risk. Obviously the more popular, the higher the risk, but I would recommend the following guidance:
- If it is installed and there are updates, apply them, as there are most definitely security flaws whether documented and disclosed properly or not.
- If it is no longer in use, remove it.
- If y ou cannot update it, ensure that you have additional security controls to mitigate the risk of exploitation.
It will be interesting to see the rest of 2018 unfold. As new Spectre and Meltdown variants continue to surface, we will see ongoing updates for mitigation across the board. We can only hope these updates become a normal part of the patch routine and not the technical challenge they have been.
Let’s also hope that we are ahead of this one and don’t see another round of WannaCry- or NotPetya-type events.
About Chris Goettl
Chris Goettl is director of product management, security at Ivanti. Chris is a strong industry voice with over 10 years of experience in supporting, implementing and training IT admins on how to implement strong patching processes. He hosts a monthly Patch Tuesday webinar, blogs on vulnerability and related software security topics, and his commentary is often quoted as a security expert in the media.