Don't Spectre-late: Our Spectre and Meltdown Scorecard
Early January 2018 was unlike any other – I’m not referring to the spectacular snowfall that blanketed the Algerian Sahara or the rare super blood red moon that got us all peeking into the open sky. Rather, there was another event that took the masses by surprise, the discovery of critical design flaws in processors from leading chipmakers that could let attackers access sensitive information. The fact that there is a good chance this blog is being viewed on a computer that was affected by Spectre or Meltdown is unnerving. At the very core, these exploit a flaw in the concept of branch prediction or speculative execution within CPUs.
The idea of speculative execution has been around for several decades – as an analogy, the barista (CPU) at my favorite coffee shop predicts that my order (a machine instruction) would not change and keeps my cappuccino ready (loads the instruction into memory) - I walk in each day, improving my experience and maintaining a faster customer churn rate. All this is great until the day I decide to order a double latte (instruction prediction fails.) The unconsumed cappuccino (loaded instruction) gets thrown (is swapped out) which then presents a source of information leak to a bad actor. My grande password just got stolen from memory. Not desirable.
While we all agree that vulnerabilities will not all be known ahead of time (underscored by the dormant nature of Meltdown and Spectre for decades), the bottom line is that Enterprises must prepare themselves to react predictability to the unpredictable. Pulse Secure’s PSIRT and Customer Success teams did exactly that. Within a few hours, we published a Knowledge Base(KB) and placed alerts on our Customer Support Portal to inform customers of the potential impact of these vulnerabilities to their Pulse Secure Access deployment. With our global cross-functional teams working around the clock, it took less than 72 hours to provide guidance on Pulse Secure products and the required fixes across applicable products.
Generally speaking, should we be concerned? Perhaps. Clearly not every impacted CPU in the world has been replaced with a fix. It’s accurate to say that software patches have largely taken care of plugging holes in systems, but in a world where devices and people are interconnected like never before, information loss is ever more pervasive. None of this should deter us from facing future challenges though. We at Pulse Secure believe Security is not only about Control, but about Access and having the right policies in place. As the ancient saying goes “may we live in interesting times”. Well, it is time for my next cappuccino and I know my barista has it ready – I won’t surprise her.