Meltdown and Spectre

Question

Hi 
 
 Meltdown and Spectre are 2 security vulnerabilities on a processor that can allow an attacker to read other process and kernel memory. 
 It can be used with Javascript to access memory form the web browser. I can be used in a container or a VM to access other containers/VM memory 
 Is InterceptX tested against this attacks? 
 
 Best regards

Gowtham Mani · Answer

Hi OLIVIERMIOSSEC, 
 The reported vulnerability is processsor level flaw that needs to be updated with the Windows securiytupdates. 
 The reported security vulnerabilites are addressed in Windows patches that were released ahead of schedule by Microsoft on January 3rd. Sophos is investigating the vulnerability involving a "kernel memory leak" to determine any impact of these vulnerabilities and patches to our products and services. 
 For more updates refer Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) 
 Also check our Nakedsecurity post regarding this Intel CPU flaw needs low-level OS patches.

MarkLoman · Answer

Hi OLIVIERMIOSSEC, 
 It is important to understand that the 3 recently discovered vulnerabilities in processor hardware (collectively called Spectre and Meltdown) do not lead to remote code execution. Instead, when used correctly, these vulnerabilities offer information disclosure. Attackers who want to leverage these vulnerabilities must either craft a malicious web page that runs in the web browser or introduce malware on the endpoint of the victim. Whichever the case, code must be introduced on the endpoint and the delivery can be blocked by even traditional security methods including anti-virus and web filtering. 
 Although the vulnerabilities are not abused at this time, browsers like Internet Explorer, Edge and Firefox have already received updates to thwart the potential attack vector via the browser. 
 Sophos Intercept X removes or defends against the attack vectors used by hackers and malware to infect the endpoint with malware. As the new hardware vulnerabilities do not offer code execution, attack vectors other than via the web browser will involve having to compromise the endpoint with malware first before an attacker can leverage a hardware vulnerability. If the attacker abuses another vulnerability in e.g. the browser, Flash or Office, prior or after abusing the hardware bugs, Sophos Intercept X will thwart this attack chain without requiring prior knowledge of the attack. 
 Other than proof-of-concepts and vulnerability tests, we do not expect that the hardware vulnerabilities are going to be abused in large scale attacks to infect or steal credentials from endpoints. Even though there are no prevalent attacks that abuse the hardware vulnerabilities, Sophos has sent out updates to detect use of proof of concept code in applications or web content. 
 Hope this helps. 
 Mark Loman Director, Engineering Next-Gen Technologies