Spectre, above, is one the biggest potential cybersecurity threats to date, along with Meltdown. It's not going to be an easy fix, writes Peter Vogel.
It’s not every day that a computer flaw, or in this case two flaws, gets its own avatar.
Such was the case though with arguably the biggest potential cybersecurity threats to date, the potential to compromise data passing through the processor chips for pretty much any computer produced since 1995.
These threats, dubbed Spectre and Meltdown, have triggered the need for unprecedented action by chip makers, computer manufacturers, and data centres.
As the news was beginning to emerge about these major flaws, I sent the first of two notes to my colleagues.
“I've issued a lot of security warnings over the years. The issue you may have heard about in the news over the past week is the biggest I've ever dealt with.
“However, I'm here to tell you not to panic or to worry unduly about your day-to-day use of Internet technologies. Don't believe some of the hyperbole you may read. At the same time don't believe that all you have to do is keep your anti-virus software up to date. It won't help and in some aspects may even be a hindrance.”
Indeed, as it turned out, antivirus software got in the way of some early patch attempts, even causing some machines to become “brickedm” or unusable without substantial additional work to get them running again.
In my subsequent note I told colleagues to hold off on any patches, if possible, until there was a little more testing in place. Intel, the company whose processor chips are most affected by these flaws, cautioned that some patches were causing issues, not only for older equipment but even for more recent computers.
This problem has been decades in the making. It is not going to be an easy fix. Hundreds of companies have to be involved. In fact, aspects of the problem may never be dealt with in current computer processor chips. It will take a new generation of such processors, and integral design changes such as will be required can take years to get to the production stage.
Just after New Year’s Day the first stories about Spectre and Meltdown appeared in the technology press. “Critical flaws affect most Intel chips since 1995” ran one headline. Initially, rival chipmaker AMD issued a self-congratulatory notice that its chips weren’t affected but that was discounted the following day.
Although as of press time there were as yet no confirmed attacks leveraging the Spectre and Meltdown flaws, these will surely come.
Are there some simple actions we can take on the user side until there is a measure of mitigation taken by manufacturers?
At the most extreme, yes, we could take care and run any information sensitive tasks with just one tab open and one browser session. No multiple browsers, no incognito sessions on top of an open session. Such action guards against the melting down (hence the Meltdown moniker) of protective data barriers between multiple open tabs.
An early fix that was posted by Google, for users of its popular Chrome browser, was to enable a special setting that would restrict data from being shared across tabs. This fix was incorporated into later versions of Chrome.
However, Spectre and Meltdown are pervasive problems, extending across personal computers, mobile phones, corporate servers, cloud service data centres – basically most devices that incorporate data processing chips. Don’t think that the flaws are confined to a specific operating system. They aren’t. Windows systems, Mac equipment, Android phones, iOS phones, Linux systems are all affected. The list is broad.
Most concerning will be those big cloud data centres with their thousands of servers. Each of those servers can function as dozens of virtual servers. Imagine a hacker taking advantage of this processor flaw. The hacker rents space on one of these virtual servers. If not properly patched, the hacker can then steal information from other customers on that same physical machine.
Major cloud service providers such as Amazon Web Services, Google, and Microsoft Azure worked with discoverers of the Meltdown flaw in particular, and over a number of months developed tools to mitigate potential compromises, but the companies also warned customers that they’d have to patch their own software they might have running on those services.
One thing is certain: the potential for problems resulting from the Spectre and Meltdown flaws will continue for years to come.
Follow me on Facebook (facebook.com/PeterVogelCA) or on Twitter (@PeterVogel).