Security experts believe hackers will soon start to remotely exploit the recently disclosed vulnerabilities affecting Intel, AMD and ARM processors, if they haven’t done so already.
Researchers disclosed on Wednesday the details of Spectre and Meltdown, two new attack methods targeting CPUs. The attacks leverage three different flaws and they can be used to bypass memory isolation mechanisms and gain access to sensitive data, including passwords, photos, documents, and emails.
The affected CPUs are present in billions of products, including PCs and smartphones, and attacks can also be launched against cloud environments.
The best protection against these attacks is the use of kernel page table isolation (KPTI) and affected vendors have already started releasing patches and workarounds.
Mozilla has conducted internal experiments and determined that these techniques can be used “from Web content to read private information between different origins.” While the issue is still under investigation, the organization has decided to implement some partial protections in Firefox 57.
Mike Buckbee, security engineer at Varonis, noted that while exploitation via the browser might not give attackers access to files, they are still likely to find valuable data in the memory, including SSH keys, security tokens and passwords.
While affected vendors say there is no evidence that Spectre and Meltdown have been exploited prior to their disclosure, the researchers who discovered the vulnerabilities warn that attacks are not easy to detect.
Researcher Jake Williams said, “It’s reasonable to assume that most nation states had Spectre and Meltdown before public announcement. If by some miracle they weren’t already using these, they will be now.”
Bryce Boland, Asia Pacific Chief Technology Officer at FireEye, agrees. “Nation state hackers typically use these types of vulnerabilities to develop new attack tools, and that’s likely in this case,” he said.
Sam Curry, Chief Security Officer at Cybereason, also believes sophisticated actors will likely exploit the flaws, if they haven’t done so already.
“This isn’t yet doom and gloom but the tension will rise. And don’t be surprised if it comes to light that a nation state is already using this or if a catalyst in the form of hack or research further heats this up and makes it a more clear-and-present risk in 2018,” Curry told SecurityWeek.