Tuesday, 16 January 2018

The Two New IT Vulnerabilities that Affect Nearly Everyone

Spectre and Meltdown - the two new vulnerabilities that researchers have identified as affecting chips from Intel, AMD and ARM.

You’ve probably heard of Spectre and Meltdown by now – the two new vulnerabilities that researchers have identified as affecting chips from Intel, AMD and ARM. We take a look at the risk they pose and what you should be doing about them.

While the dizzying scope of the potential vulnerabilities is the bad news, there is some good news. Namely, no one has detected any successful exploitation of either of the vulnerabilities in the wild yet.

However, it is a fair assumption that right now, even as you’re reading this, nefarious people are searching for ways to exploit them.

So, while the risk is not yet apparent, it is real. And you need to respond now, before those nefarious types find what they are looking for.

How the Risk became Public Knowledge

There has been some controversy about how news of the vulnerabilities came into view. They were originally identified by a team of researchers working with Google in 2017. At that time, Google shared information with the chip manufacturers, ostensibly to give them time to respond and find a solution before the information became public.

However, when Apple became aware of the vulnerabilities, it went public – giving us the information we need to respond, but also (inevitably, simultaneously) raising awareness of the vulnerabilities with those who might seek to exploit them.

What is the Risk?

At the moment, it is difficult to assess the extent of the risk since, as far as anyone knows, the vulnerabilities haven’t yet been exploited. Until that happens, and the risk becomes apparent, we don’t really know how big the potential problem is.

That doesn’t mean that inertia is an option; individuals and businesses need to respond.

However, we do know that patching the bugs has caused numerous complaints about performance impacts – because the fix for the Meltdown vulnerability present in modern Intel processors enforces complete separation between the user processors’ virtual memory spaces and the kernel’s virtual memory areas; a significant change, especially for workloads that require numerous IO or system calls.

How Should Home Users Respond to Spectre and Meltdown?

First, establish if any of your infrastructure or devices is compromised by the vulnerable chipsets.

If you have any of the vulnerable chipsets, you’ll need to immediately install the software patches provided by your operating system provider and any available firmware updates. See Microsoft’s advice here.

Once you’ve done what you can in the short term, you’ll need to consider what to do moving forward.

For home PC users, the answer is relatively straightforward: you can swap the processor out for another one that isn’t susceptible to Spectre or Meltdown – provided you can find a compatible chip that doesn’t have the same vulnerabilities.

Of course, this wholesale swap-out isn’t feasible for an iPad, so home users will need to follow advice from Apple on the best way forward. At the moment Apple has advised: “Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan.” Read Apple’s full response here.

How Should Businesses Respond to Spectre and Meltdown?

For business users too, the solution might not be quite as easy. Swapping our entire processor modules from your blade servers, including the memory, could quickly get expensive.

First, you’ll need to conduct and audit to assess how much of your IT estate is affected. Updates and patches should be effected as soon as possible.

However, given the performance issues some are reporting result from the solutions being issued, you will need to monitor performance. Reports suggest that the reported slowdowns are workload-dependent, but can be as high as 20%.

If you are experiencing this kind of performance issue, your response is probably going to depend on where you are in your buying cycle. If you were planning on buying new hardware, this might be an opportunity to bring that purchase forward. If you’re mid-way through an upgrade project or have recently completed an upgrade, you’ll need to speak with your vendor about what they can do and what you are entitled to.

For those mid-way through a buying cycle, the problem is stickier – it will come down to the degree of compromised performance, potential risk and cost of replacement.

For those using cloud services, you can’t assume that you are safe. At a minimum, you’ll need to update instance operating systems and monitor performance issues. Depending on how your billing is structured, the higher CPU usage may result in a cost spike. If you think this might affect you, it is worth checking with your vendor.


If you already had been putting up with an older PC that felt underpowered, the chances are that it will be up to 27% slower after the update that secures it against this chip-based vulnerability. This will potentially create further frustration and loss in productivity for you and your people.

We can smooth the transition from the old to a new, faster PC. Thus allowing you to be productive again. For more information, or for help planning your response, Grant McGregor consultants can help. Call our team on 0808 164 4142.


Photo by kin.lane on Foter.com / CC BY-SA