Meltdown & Spectre: What you need to know ?
The internet has been abuzz with news and stories regarding most likely the most significant security news in recent memory.
Security researchers working for Google’s Project Zero, with research groups and academia discovered a series of wide-ranging security vulnerabilities involving speculative execution, an integral function in modern day CPU’s. Almost all CPU’s in the last decade or two is vulnerable to one or more of these exploits.
Meltdown affects Intel the hardest while affecting some Arm processors and not affecting AMD due to architectural differences. With Meltdown it is possible to abuse Intel and Arm’s speculative execution implementations to get the CPU to leak information from other processes. In essence, it allows Meltdown to spy on other processes and extract information restricted to the kernel, virtual machines and other programs.
With Spectre the range of processors at risk is much more extensive. Essentially every high-end processor ever made. This method of attack while similar to Meltdown is much more complicated and implies a more fundamental risk of the implementation of the “speculative execution” process. Spectre requires more work to coerce a target application to leak information but is more complicated to mitigate as it is not well understood.
This all sounds very complicated and is. The impact of these security vulnerabilities is a little easier to understand. From early reports, the method of mitigating Meltdown requires the operating system, software and firmware updates which can add a significant overhead to a computer’s performance. These are said to range from 5 to 30% impact and even more, where older computers suffer the most. While this sounds terrible, initial tests that we found online prove that the average computer user with recent hardware will not see a dramatic overhead if any. But this is only a minimal test case, and once the Windows update that addresses this, is released today, we will see the impact for most users.
With servers and cloud-based services, things are a bit more complicated as the volumes of data and activity is much higher than on workstations and PCs. But Amazon, Apple, Google and Microsoft are reporting that they see little to no performance impact after applying recently released security updates.
Things to do:
1) DO NOT PANIC!!
2) Make sure that you do the required Microsoft, Apple or Linux updates and patches.
3) There may be some firmware updates needed but we will keep you posted on those.
4) Update your web browsers and ensure that you log out of web session before closing tabs.
The release of this information regarding Meltdown and Spectre was unplanned, and this caused a lot of confusion to the public, researchers, hardware and software vendors have been scrambling trying to catch up on what is happening. With the confusion, there are many things not known, and our recommendation is to follow the guidance provided by your OS software vendor and support agent(s).
We will have a follow-up article on Meltdown and Spectre shortly. Please do not hesitate to contact us to find out how we can assist you with the management of your business information technology security.
To read more on this :