Don’t Fear the Zombie
Processor vulnerabilities such as Spectre and Meltdown scared computer users in 2018. Now this type of weakness is back with Fallout, ZombieLoad and RIDL. Read what IGEL does to keep our customers safe.
Speculative execution is a nifty trick that modern microprocessors use to do their work faster: Regardless of whatever branch program execution will take – the CPU has already calculated the result in advance. However, this speed increase has a security downside. Timing attacks and other techniques can be employed by attackers to abuse speculative execution to read data that the CPU would normally protect from them.
Confidentiality under Threat
What would that mean? On a multi-user-system, one user’s program could potentially read passwords, cryptographic keys and other confidential information associated with another user’s processes on the same CPU. This threat is even worse for cloud hosting providers, where one customer might access secrets contained in a different customer’s virtual machine.
IGEL OS and IGEL’s variant of Windows 10 IoT, however, are in effect not really multi-user systems. True, technically they run code under different user, administrator and system accounts – but the secret information they might contain in practice only belongs to the person sitting in front of the workstation. The fact that IGEL operating systems run from read-only system partitions further mitigates the risk that an attacker could install a snooping program on a machine. This is why IGEL rates the threat of the recent processor vulnerabilities for IGEL systems as low.
Help Is on the Way
In addition, IGEL is working on integrating Intel microcode fixes for Zombieload, RIDL and Fallout (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091) into our products. Our Product Security Incident Response Team has published Security Note 2019-03 [LINK], announcing fixed versions of IGEL OS 10, IGEL OS 11 and IGEL Windows 10 IoT. When these are released, we will update that note, and inform our customers via blog posts and a newsletter.