When Spectre / Meltdown vulnerabilities were identified it made the evening news. Remember Heartbleed? I had relatives who can barely use a computer call me to tell me their computer was suffering a heart-attack; people who had no business trying to address this issue knew about it. Yet, Foreshadow hasn’t received the same attention. Is it simply too complicated? Is the public so fatigued by Intel processor vulnerabilities that they are no longer newsworthy? I think not! So, here is my non-technical breakdown of what Foreshadow is, why we should be talking about it, and its potential impact.
Uncovered back in January of this year, Foreshadow is (yet another) vulnerability found in Intel processors. I did read some posts at the time, but nothing major. Recently there has been additional coverage about it, owing to university researchers collaborating to discover an exploit of Foreshadow. In that same BBC article, Intel specifies that they haven’t heard any reports of real-world exploits. That would be fair if I could just add one word: yet.
Why should small and medium-sized enterprises care about Foreshadow?
1) Prevalence of the Affected Technology:
The number of Intel processors in our endpoints is enormous. Even though this has been declining recently, they’re a behemoth, representing nearly 80% of the market last year. Given the longevity of a processor line, the number of devices in your environment that stand to be affected when a vulnerability is discovered is likely very high; Spectre / Meltdown, for example, was estimated to have impacted over three billion devices. Foreshadow impacts all the Intel procs released in 2015 and onwards (see the full list).
2) Frequency of Vulnerabilities Discovered:
Intel has had five vulnerabilities discovered this year – and those are just the ones that have been identified publicly, that we know of.
3) The Access this Vulnerability Affords
Foreshadow enables the ability to circumvent the protected areas of the processor, afforded by the Software Guard Extension (SGX) where code cannot be executed. SGX’s ability to create “black box” areas within the processor, is supposed to render certain operations impermeable by malware. That all changes with the discovery of Foreshadow.
In case those reasons aren’t enough, there are going to be patches issued to remedy this vulnerability, as there would be with any other. Patches come with their own set of issues (see my post on avoiding Microsoft Patch Hell) with the potential to impact your business, most notably with the possibility of system performance impacts, or instability (manifested in potentially nasty consequences like BSODs).
Until the vast number of machines affected are patched, you had better hope that you can quickly identify the kernel-level intrusions that Foreshadow could enable. Unfortunately, your Anti-Virus doesn’t operate at that level, so you can't rely on AV alone. If only there was an MDR provider who could detect and respond to threats like that…