On January 4, 2018, major news outlets and trade publications including CNN, CNET, and The Guardian started reporting the news of an Intel chip vulnerability which could leave a huge number of computers and smartphones vulnerable to security concerns
Late Wednesday, Intel Corp said that most of the processors running the world’s computers and smartphones have a feature that makes them susceptible to attack. The problem is not limited to just Intel chips, but also affects products manufactured by rivals AMD and ARM Holdings
As of now, the world’s largest chipmaker is working with rivals and partners on a fix, but the news sparked concern about this fundamental building block of the internet, PCs and corporate networks.
Here is what you need to know.
What Is The Scare?
Meltdown and Spectre are the names of two serious security flaws that have been found within computer processors. They could, emphasis on could, allow hackers to steal sensitive data without users knowing. One of them affects chips made as far back as 1995.
Meltdown is a security flaw that could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory, which is normally highly protected.
Spectre is slightly different. It potentially allows hackers to trick otherwise error-free applications into giving up secret information.
The question on most people’s mind right now is...how serious is the problem?
As cited in The Guardian, Meltdown is “probably one of the worst CPU bugs ever found” according to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw. It is very serious in the short term and needs immediate attention.
Spectre, on the other hand, is harder for hackers to take advantage of, but is also more difficult to fix and is expected to be a bigger problem in the long term.
How Does It Affect You?
The good news is that as of now, there's no evidence they've ever been used in actual hacking attempts and we can safely assume no one knew of their existence until they were discovered 6 months ago by Google’s Project Zero Security team.
The U.S. Computer Emergency Readiness Team said that while the flaws "could allow an attacker to obtain access to sensitive information," it's not so far aware of anyone doing so.
The agency urged people to read a detailed statement on the vulnerabilities by the Software Engineering Institute, a U.S.-government funded body that researches cybersecurity problems.
The institute said that "fully removing the vulnerability requires replacing vulnerable [processor] hardware." It later changed its guidance on Thursday to suggest updating software was enough.
The bad news for all of us is that most if not all devices that are using computer chips are affected by these vulnerabilities and have likely been affected for years, which means if your company relies on technology (computers, mobile devices, servers, etc.), you are affected.
What Should You Do About It?
Programmer Jann Horn of Google’s Project Zero was one of the researchers who discovered the flaws. In this blog post from January 3, 2018, he said his group alerted chipmakers to the issues in June. Since last fall, security researchers and companies have investigated and updated software systems to address the flaws.
Fixes and patches have been in the works for some time, and you can expect more information to come from your software and hardware providers in the near future.
According to AMC Solutions CTO, Jeff Hollingworth, “Unfortunately these are CPU exploits, so any patching is mitigation at best and will likely result in a small performance hit (some patches have shown up to a 30% hit in CPU performance, but most are negligible).” Most users will notice little to no change in system performance.
It will be important for users to perform updates and patches on their software and firmware as soon as they become available. Some are already available.
For companies that are under managed services contracts, it is important to express your concerns and discuss any strategies with your service provider to mitigate security breaches and keep your system performing at top capacity.