Columnists

It's a rough start to 2018

Meltdown and Spectre - two errors found in CPUs - are scary flaws. How impacted are you and I?

Read time 4min 00sec

What a way to start the year: with some of the biggest security flaws in recent history. Meltdown and Spectre - two distinct but relatable errors found in computer processing units (CPUs) - have made headlines for good reason. These are scary flaws, at least on paper.

To summarise, either flaw enables just about any application with access to a system to spy the memory of that system's kernel. The kernel is the heart and soul of any device. It is the core of the system that runs that device. Being able to access its inner thinking is a highly restricted activity. But Meltdown and Spectre can hand that to anything that runs on a system, potentially even javascript from a remote webpage.

Collectively these flaws impact just about every central processor vendor out there, from AMD to Intel to Qualcomm - though it should be added that Meltdown, the flaw affecting Intel chips, is considerably easier to access than Spectre, the flaw found on other vendors' chips. That being said, Meltdown can be patched whereas Spectre requires much deeper intervention.

A conservative impact estimate fingers all Intel chips for the past decade, though some put that as far back as the mid-Nineties. The level of exposure among ARM chips is also scary and even AMD is being impacted in a limited capacity. Apple and Microsoft are already issuing user patches, while Amazon, Azure and Google are all frantically patching their cloud servers.

This flaw is a so-called 'blueprint blunder': it's part of the actual architecture of the CPUs.

So how bad is this flaw? It's hard to say. Yet have no doubt, the potential of Meltdown and Spectre is scary. We may come to appreciate this later in the year, once the flaws have been weaponised by cyber criminals. By this I mean the flaws might become very exploitable, even for less skilled operators. We may be able to draw correlations to the ransomware attacks of 2017. These surfaced after flaws used by the NSA were publicly revealed. But this is no insightful prediction: cyber criminals routinely study white papers detailing flaws, then build tools to exploit them. This is why patching is non-negotiable.

A more direct impact may be performance: it's estimated that the patches for Meltdown will reduce computer speeds. By how much isn't clear: some on the internet say between 5 and 30 percent, though those are not official benchmarks. It may be less and chances are end-users won't see the difference on their devices. But they may, literally translating into a slow start for all of us this year.

If there is a performance impact, server environments such as clouds may be the visible proof. Patch they must, for these flaws can make it very easy for a virtual machine to access its host as well as other VMs on the server. This is critical enough that Tier 2 cloud vendors even banded together to fix their systems.

How impacted are you and I? That can't be answered generally. If you patch regularly, you'll probably be okay. If you have a security team, you should meet with them about this topic. If you own a lot of infrastructure or your business costs are hinged on a lot of infrastructure, you shouldn't ignore this.

There will be three stages throughout the year to this saga: first we'll see how much the patch for Meltdown slows down machines (if at all), then we'll see if anyone weaponises the flaw into some terrifying new criminal tool, and finally we'll see how Intel and co react. Some, such as Linux kernel godfather Linus Torvalds, are demanding no less than chip redesigns.

This flaw is a so-called 'blueprint blunder': it's part of the actual architecture of the CPUs. Patches are fingers in the holes, not fixes for the cracks in this gargantuan wall. In the case of Spectre, there is no clear prospect for any patching. Ultimately these flaws may have to be engineered and upgraded into oblivion. The 'quick fix' mentality we've cultivated around security might finally be catching up.

It's a rough start to 2018 and, if people ignore security as they usually do, it will likely get rougher. So never neglect your patching. The consequences of not doing so are getting worse and worse.

James Francis
ITWeb contributor

James Francis is ITWeb contributor.

Youtube play icon