7 January 2018

Spectre

When I read about Meltdown and Spectre in the Reuters Technology News early on Wednesday morning I digged directly somewhat deeper to find details about the access vectors and severity. From a quick view of the published material I concluded that these vulnerabilities were only locally exploitable and would have medium to high impact. No need to panic.

Media coverage was very high the next morning. Even the German local radio stations brought details about Spectre and Meltdown in the news, although there was no ground for public panic.

The following table shows the Meltdown and Spectre vulnerability details:

Meltdown and Spectre Vulnerability Details, CVSS V3 Metrics

Sources: [1] NIST NVD, [2] RedHat Customer Portal, [3] NIST NVD
Abbreviation list: AV: Access Vector, AC: Access Complexity, PR: Privileges Required, UI: User Interaction, C: Confidentiality, I: Integrity, A: Avaliability

To exploit these vulnerabilities an attacker must have either local access to a system on your network (Access Vector Local) or access to your local network (Access Vector Adjacent Network).

But why should an attacker, who got access to a system on your network, exploit e.g. Meltdown to extract passwords from the memory of a process? The access complexity is high; thus, the likelihood of early detection goes up.

We can expect that cyber criminals don’t behave irrationally. They choose the attack method with low chance of detection. And recent publications suggest this:

According to the Ponemon 2017 Cost of Data Breach Study the Mean Time to Identify (MTTI) a data breach in 2016 was 191 days, down from 201 days in 2015. If cyber criminals would behave irrationally, the MTTI would be much shorter.

Thus, there is no need for panic. Just apply the latest patches and check the performance of critical systems.

Have a great week.