Since Spectre and Meltdown were discovered in early January 2018, it’s been quite a rollercoaster of press coverage, patch releases and advice that rides both ends of the spectrum.
Should you patch? Should you turn off automatic updates until this all shakes out? Will a patch cause instability in your computer systems? What will that do to your everyday business operations?
It’s a firestorm of experiences out there.
What are the vulnerabilities?
Both Spectre and Meltdown are computer processing vulnerabilities that affect almost every computing device in use today. The Guardian did a great job explaining the ins and outs of the two security holes in layman’s terms. The flaws are found in processing chips that have been used since 1995, but the vulnerabilities were just recently discovered.
Meltdown could access the hardware barrier between applications (which is usually highly protected) run by users and the computer’s core memory.
Spectre potentially allows hackers to trick applications that normally function without error into giving up secret information.
There are some who say that these two vulnerabilities have been out there for decades and haven’t been exploited yet. However, others counter that just because Spectre and Meltdown haven’t been used yet, doesn’t mean they weren’t found earlier by private, state or government agencies. They could be lurking, waiting to be used in a future attack.
Is there any bright side in this bad news?
Surprisingly, yes, there might be a small gleam of sunshine in this gray-day news. To date, there are no known exploits with these security vulnerabilities. Apple notes that for hackers to take advantage of these issues, you would have to download a malicious app on your device. They recommend only downloading apps from reputable sources, such as their own App Store.
How should consumers and enterprise businesses react?
It’s important that consumers keep machines updated and use antivirus software to scan regularly. But it’s also true that some antivirus vendors are not compliant and contribute to the same problem as Spectre and Meltdown. Check with your vendor.
As an aside, Microsoft initially patched Windows but it locked up some older machines that use AMD processors and caused some machines to reboot intermittently that use Intel processors. AMD claims their chips do not have the problem, but most agree that that remains to be seen. Microsoft has pulled their initial update and developed a different patch for these issues.
Meltdown is more of a problem for enterprises who utilize cloud computing services. The nature of these larger-scale businesses means that the performance with the fixes could be risky as it may have the potential to slow down operations using enterprise systems.
Amazon, Google and Microsoft Support all report that their cloud platforms have been updated and fixed to within a small percentage of users.
If you’d like any help with enterprise solutions or technology consulting in cybersecurity, systems integration, engineering development, product support, or technology incorporating software-based multifactor authentication (MFA), contact Cyber Solutions Technologies for a consultation today.