Even as updates start to trickle out, Spectre remains poised to haunt the IT industry for some time.
First made public alongside the Meltdown vulnerability, Spectre is actually a class of vulnerabilities that take advantage of the side effects of speculative execution, a method used by microprocessors to speed their performance. Using Spectre, an attacker can enable a malicious program to access another program’s mapped memory. Virtually all modern processors are thought to be affected by the issue.
Unlike Meltdown, Spectre cannot be fixed by applying an individual update because it does not exploit a specific feature; it is not possible for security vendors to develop a signature for Spectre either. Instead, they must develop patches to address each unique use case as they are released into the wild. To deal with Spectre, organizations will have to maintain a constant state of vigilance. Vendors are already developing ways to address the situation, but there are steps organizations can take besides simply waiting for a stream of patches to be delivered.
For starters, it is important to get a handle on concerns about the impact patching will have on performance. There has been speculation that patching Meltdown and Spectre will diminish CPU performance by as much as 30 percent. While that is likely a significant overestimation in most cases, the smart move is to baseline the performance of critical servers and services before patching, so impact of any update can be accurately measured. From there, organizations can work with the appropriate vendors and service providers to mitigate any drop-off.
Another step organizations can take to mitigate the threat of Spectre is strong application control policies. Spectre requires processes to run on the targeted machine; meaning ensuring that only trusted, authenticated applications can run reduces the potential risk. In addition, following the principle of least privilege, in which every process, user, or program accesses only the information and resources that are necessary for its legitimate purpose, will similarly lower the risk.
Spectre is reportedly not easy to exploit, and so far, no security vendors have reported seeing it exploited in the wild. However, given the prevalence of the technology, which is literally at the heart of every system from desktops to smartphones to servers, attackers have an extremely target-rich environment to work with. Staying secure means staying on top of patching, and keeping an eye out for new information about an ongoing risk.
More technical information can be found in our Spectre Response Kit.
For details as it relates to the Meltdown vulnerability, visit our Meltdown Response Kit.