By Kurt Marko for Channel Partners Online
The tech world had a collective panic attack this past week with the announcement of several serious security vulnerabilities that exploit fundamental elements of modern processor design, with Intel’s x86 architecture shown to be the most exposed. Dubbed Meltdown and Spectre, the vulnerabilities could enable an attack that allows any program running on a system to read data from other running processes, even those protected by system- or kernel-level privilege.
Doomsday scenarios include an attack by a program running on a cloud service, like AWS EC2 or Google Cloud Engine, that steals information from other instances running on the same physical system, or client-based malware that uses tainted Web pages to piggyback off of the browser process to access data on a PC or phone. Think records from a password manager, or personal emails. Indeed, several code examples exploiting the vulnerabilities have already turned up on Github, including one for reading data from a browser and another for reading system memory.
Now that we have established the seriousness factor, back off the ledge. The world isn’t ending.
As usual in an era of shoot-from-the-hip articles and social media feedback loops, initial reports painted a dire situation in which software mitigations would impose crushing performance penalties, with a complete fix necessitating the premature obsolescence of hardware that would need to be replaced by systems with CPUs redesigned from scratch. Upon further review from people who actually know what they’re talking about, such as the Google team and university researchers that independently discovered the flaws, neither of these is entirely accurate — although it is true that the Spectre variant can’t be eliminated entirely without changes to all modern CPU micro-architectures, not just x86 systems.
These vulnerabilities were actually discovered months ago. In keeping with responsible disclosure, details were shared among hardware and cloud vendors so that patches could be developed and applied before the information become widely known. Although the news leaked a week before insiders intended, the lead time allowed all parties to develop fixes and patch cloud services beforehand. The days following the initial stories featured a cavalcade of status and patch announcements from major players that we summarize here: