Unintended Consequences: The Fallout of Vulnerability Hype

2018 started off with a bang as the information security community had a meltdown over the spectre of a new class of vulnerabilities which affect the core of every computing device: the central processing unit (CPU).

Modern processors speculatively execute instructions which may or may not be required in order to improve performance. If the execution was not required, the results are discarded, and the programs are blissfully unaware.

The new vulnerability class involves observing artifacts of speculative execution. The artifacts form a side-channel allowing an attacker to read memory across security boundaries: a malicious process could read the contents of a remote target process; or a malicious process could read the contents of kernel memory.

Ironically, news of the vulnerability was itself leaked through a side-channel when Jonathan Corbet noticed the KPTI (previously known as KAISER) patchset was being rushed for introduction in the upcoming Linux kernel update.

A change of this magnitude would typically undergo lengthy discussions and multiple revisions prior to being included for release. Instead of the expected discussion, the patchset was accepted without much fanfare by Linus Torvalds. Corbet’s article ignited a chain reaction as security researchers around the world began digging through prior research to uncover the vulnerability.

Speculation about the massive vulnerability reached a critical point when proof of concepts demonstrating the vulnerability appeared and vendors broke the coordinated release date by providing full disclosures almost a full week prior to the agreed upon date. Smaller cloud computing providers SCRAMbled to determine their exposure and the apply the mitigations.

The immense hype buildup, premature disclosure and chaotic patch rollout created a cloud of confusion among consumers, system administrators, and software vendors alike. Due to “misbehaving” personal security products, Microsoft required security software vendors to validate their software was compatible with the new update and push a registry key setting to customers prior to the Windows update being offered.

Additionally, the patch proved to be incompatible with older hardware, which then had to be withheld after users reported the patch would disable their machines, causing even more confusion and uncertainty. Industrial control systems (ICS) were also affected by the vulnerabilities and patch incompatibilities.

Once news of the vulnerabilities bleeds into traditional news outlets, fear, uncertainty, and doubt (FUD) begins to set in and users rush to protect themselves - only to be greeted by the cloud of confusion - allowing malicious actors to take advantage of the chaos.

This isn’t the first occurrence of bad guys jumping on the ‘fail train’ to spread their malware. In 2014, unscrupulous actors spread their malware by claiming to be a Heartbleed removal tool to patch the notorious OpenSSL bug.

Lost in the chaos of this meltdown is the fact that attackers must have the ability to execute code on the machine in order to exploit these vulnerabilities. If an attacker already has code execution, the game is lost.

The biggest concern is for users relying on multi-tenant infrastructure such as cloud computing, where other actors have the ability to execute code on the same physical machine - your home PC or smartphone, while vulnerable to Spectre and Meltdown, is more likely to get infected by your run-of-the-mill ransomware.

As an industry, we must become better about how we inform and educate users about the risk of software vulnerabilities, and how to protect themselves through the appropriate channels.

The firehose hype of branded vulnerabilities and FUD will at best just present the security industry as “the boy who cried wolf,” or worse, will confuse users into downloading and executing executables from random third-party websites that may or may not be malicious.

Otherwise, we will just have to accept that as a society, we just suck at computers.

At the end of the day, the guidance remains the same: users should follow best security practices by keeping their antivirus software, browsers, operating systems, and firmware up to date through official vendor channels; avoid clicking on links distributed over e-mail, instant messages, or social media; and avoid downloading and executing random files that claim to ‘fix’ or ‘inspect’ your computer for the “bug du jour.”