The Ivanti Threat Thursday Update for January 4, 2018: New Threats for the New Year
Greetings and welcome. This week, software developers race to remediate a processor design flaw that puts millions of devices at risk, and a new zero-day vulnerability threatens most if not all versions of macOS. Make one of your New Year’s resolutions a commitment to share any relevant opinions, reactions, and/or suggestions inspired by what you read here, please. Thanks in advance.
Chip Design Flaw Forces Major Software Updates – US-CERT Reportedly Recommends CPU Replacement
The Project Zero team of security analysts at Google disclosed discovery of a design flaw that makes most CPUs vulnerable to memory “leaks” that create significant security risks. Disclosure of the flaw has resulted in security advisories from numerous industry entities, and rapid release of patches that offer some protection, but incur performance penalties.
- According to the Project Zero blog post, the resulting vulnerabilities, known as “Spectre” and “Meltdown,” “affect many modern processors, including certain processors by Intel, AMD and ARM.” As CSO reported, Meltdown affects almost every Intel processor released since 1995, while Spectre has been verified to affect processors from Intel, AMD, and ARM.”
- As The Register reported, the flaw “allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.” “At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs. At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory.”
- There are currently no actively detected exploits of these vulnerabilities in the wild, but there is plenty of proof-of-concept code that has been used to demonstrate how to exploit them. The risks were sufficient to drive Microsoft to release a Windows patch in advance of next week’s January Patch Tuesday. However, according to the CSO report, the update was not delivered to customers using what Microsoft says is incompatible antivirus software.
- By the end of next week, Intel is expected to release updates for 90 percent of the processors released during the past five years. Patches are also available now for Linux systems. According to The Register, “Similar operating systems, such as Apple’s 64-bit macOS, will also need to be updated.” These updates “will incur a performance hit on Intel products.” The slowdown may range from five to 30 percent, “depending on the task and the processor model.”
- In a Vulnerability Note, US-CERT, the United States Computer Emergency Readiness Team, recommends that users apply updates intended to address Spectre and Meltdown. “Operating system and some application updates mitigate” the risk of attacks via these vulnerabilities.
- CSO, VentureBeat, and Business Insider all reported that the ultimate solution recommended by US-CERT is to replace affected CPU hardware. All three reports quote US-CERT as saying “The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware.” No such verbiage appears in the currently posted version of the Vulnerability Note linked to by those reports. However, a separate US-CERT alert says that since “the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.”
What We Say: The likelihood that your enterprise has the budget and executive support needed to replace every system running a CPU affected by these vulnerabilities seems low. You must therefore ensure that all of your systems and applications are as protected as possible. This means up-to-date patches, updates, and application whitelists. As these new threats make clear, effective, multi-layered cybersecurity must protect your environment from the widest possible variety of threats and vulnerabilities, not just hacker attacks. Critical success factors for defense in depth include timely, comprehensive patch management, the ability to roll out patches and software updates rapidly, securely, and where and as needed, and flexible, well-enforced whitelisting. (See “Transforming the Patching Process” and “The Equifax Breach, Patch Management, and Your Cybersecurity.”)
IOHIDeous: Every Mac At Risk?
A newly discovered zero-day vulnerability may affect every version of Apple’s Macintosh operating system. The threat reportedly enables root access to any Mac.
- As TechTarget SearchSecurity reported, IOHIDeous is a vulnerability that affects IOHIDSystem, a macOS component that connects the software to user interface elements, including keyboards and cursors. As described by “a hobbyist developer and hacker from Switzerland” who released proof-of-concept code exploiting the vulnerability, IOHIDeous affects “all versions of macOS going back 15 years.”
- IOHIDeous “could allow for an attacker to escalate privilege, run arbitrary code and gain root access.” Fortunately, “the flaw is not remotely exploitable,” and cannot be exploited without obviously affecting a system’s user interface.
- The Swiss hacker “noted that not all of the parts [of the hacker’s exploit] have been tested across all versions of macOS,” and that part of the attack used "’doesn't work on High Sierra 10.13.2 anymore.’" However, the hacker added that “the vulnerability is still present and may be exploitable in different ways,” and that it can likely “be easily adapted for other versions” of macOS.
What We Say: Devices running macOS and iOS are gaining traction among enterprises, especially those that connect with consumers, support users’ personal devices, or both. As adoption of such devices grows, they become increasingly attractive targets for hackers and attackers. Your endpoint protection solutions and processes must protect equally all software environments your users are authorized to use. (See our endpoint management blog posts, especially “What Are the Four Keys to True UEM?” and “UEM Is Dead. UEM Is Reborn. UEM Was Just Misunderstood. Long Live UEM!”)
Improve Your Cybersecurity. Partner with Ivanti.
What does your organization need to maximize its cybersecurity? Comprehensive patch management for your data center servers, your client operating systems and third-party applications, or all of the above? Control of the applications on your network? Granular management of your users’ devices and admin rights? Better abilities to fight and recover from malware attacks?
Ivanti solutions can help you address any or all of these critical cybersecurity challenges. Ivanti can also help enhance endpoint management across your organization. Check out our cybersecurity and endpoint management solutions online. Then, contact Ivanti, and let us help your organization achieve better cybersecurity, tap into more of The Power of Unified IT™. (And do please keep reading, sharing, and commenting on our security blog posts, especially our Patch Tuesday and Threat Thursday updates, throughout 2018.)