DEMYSTIFYING “SPECTRE” AND PUTTING A FREEZE ON “MELTDOWN”
By Keith Barthold
While many security threats don’t affect the average worker’s day-to-day experience – you may have not even been aware of a lot of them – the latest two menaces that look to wreak havoc on your computing systems are chip vulnerabilities which are surprisingly common to just about everyone who uses computers, cell phones, servers, and even those operating in the cloud, regardless of which operating system you’re using.
While it’s too early now find out the scope and magnitude of the these most recent security threats, perhaps the biggest takeaway so far is that doing something is NOT always better than doing nothing.
The culprits, “Spectre” and “Meltdown,” were discovered and reported by security researchers at Cyberus Technology, Google, and the Graz University of Technology. Though the details behind these flaws are highly technical, these twin security threats essentially allow programs to steal data which is currently processing on your computer, as one program attempts to obtain data from the sensitive data stored in the memory of other running programs. This information can include passwords, photos, emails, instant messages, and other personal and critical data.
The chip flaws affect modern processors including Intel, AMD, and ARM—affecting almost all computers, servers, cloud operating systems, and cellphones made in the past two decades. Basically, if it has a computer chip in it, it’s likely affected by either Spectre or Meltdown or both.
The good news is that Apple, Google, and Microsoft have released updates for both threats. The not-so-good news is that the patches used are running into significant issues with antivirus products and some of the supposed fixes are causing the dreaded “blue screen of death.” As the patches are being developed, hackers are finding ways to reverse engineer them which makes the exploit more accessible. So when you apply the patch to your device you could be making things much worse.
I can’t say it enough or with enough emphasis: doing something is NOT always better than doing nothing. Thousands of people rushed to apply the earliest patch available, and now thousands of businesses and individuals are facing those fatalistic blue screens. You have to be wise when you patch because people are patching too early and not being selective. The value that DKB brings is that we review all patches. In the cases of Spectre and Meltdown, we’ve chosen to delay using the initial, premature “quick fixes” because the damage done by them have outweighed the security threat.
Many experts claim that software patches may not be enough to fully mend Spectre, which deceives applications into divulging restricted data. Users will have to wait for processor redesigns in the next generation of chips. Fortunately, it is more difficult for hackers to take advantage of Spectre.
And others suggest that attempting to fix the problems may slow a computer’s performance, especially on devices more than five years old. The New York Times recently reported that researchers claim some fixes could slow down computers by as much as 30 percent.
DKB has sent out communication to all of our clients recommending that we wait for “official” patches promised by Microsoft and our anti-virus vendor and that users update their devices and browser software when they become available