“An industry-wide, hardware-based security vulnerability was disclosed today”.
The opening lines of Microsoft Azure’s ‘Virtual Machine Maintenance Notice’ made me nervous yesterday, and rightly so given than a good chunk of computers made since 1995 may be set to slow down by as much as 5-30% in the near future due to some recently discovered vulnerabilities in Intel processors.
More specifically, there were 2 major security vulnerabilities announced this week – affecting most Intel (i.e. one of the largest CPU manufacturers in the world…) processors produced since 1995, as well as various processors produced by AMD and ARM (i.e. Intel’s competitor, and the designers of nearly every smartphone processor, respectively).
These vulnerabilities have been assigned the rather colourful codenames “Meltdown” and “Spectre”. The main thing you need to know about these vulnerabilities is that they make it possible to retrieve information from computer memory that would normally not be accessible – this could be anything, including (but not limited to!) passwords and personal information.
On shared systems like public or private cloud servers, it’s also possible to access the host’s physical memory and steal information from other customers who happen to have their virtual machines hosted on the same hypervisor as you.
Oh, and as I hinted above, it also affects nearly all smartphones. So…it’s kind of a big deal.
The good news is that the Meltdown vulnerability can be addressed by installing the latest patches for Microsoft and Linux operating systems. Apple’s macOS has been protected since version 10.13.2. This will help you avoid exposure to the risk of having your sensitive information stolen due to the exploit.
The bad news is that Meltdown is ultimately a hardware design flaw, and the patches mentioned above are simply a workaround. The way that the workaround has been implemented means that there is the risk of a performance impact, depending on what workloads your machine is running. It’s important to note that because this is a new vulnerability that has only recently been patched, these performance impacts are still being quantified.
When it comes to the Spectre bug, there is no simple method of implementing a single fix (as is the case with the Meltdown patch). The fact that it’s harder to resolve permanently is actually where the name came from since it will “haunt” us for quite some time, according to the official FAQ here. Having said that, it’s also harder to exploit than Meltdown – there’s no cause for panic just yet.
IT security, by nature, is forever-changing, and can quickly become overwhelming if not properly managed. Of course, there is no way to protect against 100% of possible attacks, but establishing a set of well-defined and documented processes (scheduled updates, password management, user training etc), and then sticking to them is key to minimising your exposure to security threats. If this is something your company could use assistance with contact Starboard IT today and let us worry about it for you while you focus on your business.