Huge coordinated vulnerability disclosure needed for Meltdown
Unprecedented Spectre and Meltdown CPU flaws required a vast coordinated vulnerability disclosure effort over six months and across dozens of organizations.
A massive coordinated vulnerability disclosure the size of Meltdown and Spectre is rare, and it almost went off without a hitch.
According to those close to the matter, the vulnerability disclosure process for the Meltdown and Spectre CPU flaws spanned almost six months. However, it appears the details and patches needed to be rushed out due to the rampant speculation and even proof-of-concept code that came out Wednesday.
Early rumors indicated the coordinated disclosure of the Meltdown and Spectre flaws would happen around the time of Microsoft's January 2017 Patch Tuesday release on Jan. 9. The official statement released by Intel on Wednesday even referred to "Intel and other vendors [planning] to disclose this issue next week when more software and firmware updates will be available."
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said the coordinated vulnerability disclosure was "overall positive."
"It stayed a relative secret for almost six months," Williams told SearchSecurity. But, he added, if the disclosure was pushed out early, it may have been due to a Linux Kernel Mailing List message posted by an AMD software engineer. "It was either intentional or unbelievably careless wording. AMD basically drew a roadmap to the vulnerabilities."
Allan Liska, intelligence architect at Recorded Future, a threat intelligence provider based in Somerville, Mass., said the news snowballed after the initial discovery.
"Really, the only thing that threw a monkey wrench into the process was the fact that the information security community is so much larger and willing to share findings," Liska told SearchSecurity. "Someone noticed something strange and posted it on Twitter; another researcher verified the findings; and, suddenly, a bunch of people were looking at a problem, which forced disclosure earlier than intended."
Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team, said this last-minute mistake and the speculation that resulted from it undermined the coordinated vulnerability disclosure process.
"I would have to say that this has not been a smooth disclosure process. Attempts to have a proper coordinated public disclosure of the flaws were undermined by the public revelation of Linux kernel patches for Meltdown, along with commentary about an Intel-specific bug," Young told SearchSecurity.
"The coordinated disclosure was not, however, a complete mishap, as patches are already available for most of the high-risk platforms," he continued. "Microsoft, for example, had already alerted customers to a mandatory maintenance window on their Azure platform and was able to respond to the disclosure with remaining patches for supported Windows versions."
Meltdown and Spectre disclosure scale
Experts were impressed overall, though, because Meltdown and Spectre are flaws based in microprocessor architecture, and the effects were widespread and required coordinated vulnerability disclosure of the scale and scope rarely seen.
According to the official branded website, the research into the CPU flaws relied on work from Google's Project Zero team; Graz University of Technology in Styria, Austria; the University of Pennsylvania; the University of Adelaide in Australia; Cyberus Technology; and Rambus. Meanwhile, patches and mitigations are listed from Intel, ARM, AMD and 23 other vendors of browsers, cloud platforms, virtual machine developers and more, as of this post.
Peter Trangeneral manager and senior director, RSA Security
Peter Tran, general manager and senior director at RSA Security, based in Bedford, Mass., said this coordinated vulnerability disclosure was "unprecedented based on scale, impact and severity."
"It's the 'ground zero' for unpredictable cyberattack exposures on multiple levels -- not just data that may be exposed; we are looking at system impacts at the lowest to highest levels," Tran told SearchSecurity. "A disclosure like this needs near-surgical precision, given the criticality and unknown areas for exact remediation and patching."
Liska said compared to coordinated vulnerability disclosures from five years ago, "the response was excellent."
"The researchers disclosed the vulnerability responsibly, and all of the companies involved took the threat seriously, even though, for the operating system vendors, it meant addressing a vulnerability they had never encountered before," Liska said. "The security community collaborating and cooperating like this is the way it is supposed to work -- everyone being good citizens and sharing information that can help keep everyone safe."
Ben Carr, vice president of strategy at Cyberbit, noted that not all of the official vendor statements were as accurate as they could have been, but were "what we would typically expect to see."
"They are admitting the issue, but trying to downplay the impact. Specifically, Intel's statement indicated it wasn't possible 'to corrupt, modify, or delete data,' only to gather data. Gathering sensitive data is anything but a trivial issue," Carr told SearchSecurity. "This highlights the need, as an industry, to transition from a mindset where we expect to live in a walled garden and build a strong enough perimeter to prevent intrusion to one where we defend as best we can, but prepare for the eventual compromise and need to respond through a well-thought-out and reasoned approach."
Work still to be done
Despite the successes in the coordinated vulnerability disclosure process, experts also noted that remediating the Meltdown and Spectre vulnerabilities may not be as clean as vendors make it seem.
Tran said the success of the overall remediation outcome "will have a direct correlation to how well both public and private sectors globally work together."
"It's a very delicate balance no matter the scale and severity of an incident. In this case, it's a balancing act of how much to disclose and the timing, staying mindful of how much is disclosed, while keeping in mind cyberattackers would have the same access to the disclosures -- too early and the vulnerabilities can be exacerbated; too late it and the exposures may be too big to recover from. Time will tell based on remediation efforts to truly judge," Tran said. "By far, the most difficult part for remediation is how to effectively monitor legacy networks, mobile, cloud and any microprocessor-based embedded devices."
Williams had previously pointed out that none of the patches fix the core CPU flaws, but instead act to prevent practical exploitation. He also told SearchSecurity that "Intel is not patching chips older than 2013."
"I think this probably has the largest cross-section with older OSes that won't get patched, either," Williams said. "So, if your chip doesn't get patched and the OS doesn't get patched, I would say that makes the remediation hard."
Ken Spinner, vice president of field engineering at Varonis, based in New York, said it is "important to focus on the outcomes, rather than the minutiae of the process."
"Cloud vendors with hundreds of thousands of vulnerable VMs under management and other high-impact services had early access to patched software and were able to at least somewhat get out ahead of a widespread practical exploit of these vulnerabilities," Spinner told SearchSecurity. "Companies who've shored up their processes and are quick to roll out patches across the enterprise are always going to have the upper hand. Companies that fail to have processes in place to routinely patch are taking a gamble and may just have their luck run out."