Meltdown & Spectre Vulnerability: Symantec Critical System Protection
A series of new vulnerabilities has been discovered which affect the processor chips and potentially permits attackers to gain unauthorized access to a computer’s memory. Dubbed as “Meltdown” and “Spectre”, the vulnerabilities affect nearly all the modern processors. Affected devices can be mitigated through operating system patches, and the corresponding OS patches should be applied as soon as possible
For the latest and in-depth information about these vulnerabilities, see https://www.symantec.com/blogs/threat-intelligence/meltdown-spectre-cpu-bugs
Does Symantec Critical System Protection (SCSP) provide protection against the Meltdown and Spectre?
Spectre and Meltdown are primarily information leakage vulnerabilities. These vulnerabilities are fundamental and at the hardware level. There are no known working exploits for the vulnerabilities at the time of the writing, only the POC code.
In order to successfully exploit the vulnerabilities malicious code needs to execute locally. SCSP can mitigate exploits when proper policies are configured and applied to restrict and harden the device. SCSP comes with out of box security policies, Basic, Hardened and Whitelisting, which can ensure that untrusted code trying to exploit these vulnerabilities will not execute on the protected assets. (1) Whitelisting strategy reduces the attack surface drastically. (2) Even within the whitelisted applications the exploit controls – Buffer Overflow, Heap overflow, Null page dereference etc. ensures additional layers of protection. (3) SCSP hardening capabilities like Software Installation Restrictions, blocking installing malicious application to authorized execution path, blocking modification of executable files and blocking execution of non-executable extensions. (4) SCSP in-bound / out-bound network rules can further protect data to be exfiltrated out even if some scripts get to locally exploit it. All these greatly reduce the attack surface and protect the local device from being exploited.
In particular, applications that allow external code to execute via Macros or JavaScript’s should be cautiously whitelisted and appropriately sandboxed. Java script execution should be blocked if not required. SCSP’s Application specific firewalls rules should be used to further enhance security. Symantec recommends that SCSP customers apply the OS patches on all systems where external script executions / macros cannot be disabled.
Can I apply the OS vendor patches which provide mitigation for Meltdown and Spectre?
With Windows patches, no change to SCSP Agent is required. As an extra precaution for this kernel level change, we have analyzed the patch information for Microsoft and are testing the patches as they are released & no issues have been found. For detailed information on the OS patch compatibility certification with SCSP visit: https://support.symantec.com/en_US/article.TECH248579.html