The Big Chipzilla Fudge (Up): Breadth and Depth of the Mistake
You may have already heard of Meltdown and Spectre, two vulnerabilities that were discovered by Google’s Project Zero, recently. These two vulnerabilities exist because of a fundamental design flaw that was found in Intel’s processors, which affects Linux and Windows kernels.
Very simply put, the security flaw has to do with how privileged memory is managed, and allows attackers to steal data from running apps. The Register has more details here.
The downside is, everything based on modern processors is now on a very slippery slope, and everything is going downhill very, very fast.
We are talking about a fundamental flaw in a whole generation of processors, but in a public statement, Intel is intent on taking other chip makers down with it, and have said, “Many different vendors’ processors and operating systems, are susceptible to these exploits.”
So far, ARM has confirmed this to be true, while AMD denies that its processors are affected, and ZDNet reported AMD as saying, “The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.”
Long story short, the safest bet is to assume that eeeeverything is affected, so start patch-patch- patching away as though our lives depend on it.
The breadth and depth of impact
There are two flaws at play here; Meltdown mostly affects Intel, and Spectre affects Intel, AMD and ARM cores.
These vulnerabilities are at the hardware CPU-level, so everything that is built based upon it, is at more of a security risk than usual – operating systems, endpoint consumer devices like smartphones, tablets, laptops and desktops, as well browsers, and also servers which in turn means, virtual machines, hypervisors and cloud services are affected.
The list of patches (or advisories for those who are adamant they aren’t impacted) to date are as follows:
1. Amazon Web Services
8. Linux Foundation
Bleeping Computer has the list with more details here.
It never ends
Dimension Data’s APAC CTO, Andy Cocks, has shared that updates to Linux and Windows, could mean a performance degradation of up to 30-percent.
Ten-percent of vulnerabilities that exist out there, are 7 years old, and 47-percent, are 3 years old.
That means that patches exist, but it is nigh impossible to deploy them everywhere because of Mission-critical, live production environments which cannot afford the downtime
An industry observer states that at best, these patches, like most other patches, will only help mitigate the risk, not eradicate it, so in the coming months, it will be interesting to see what more Intel will do, besides releasing these flimsy band-aids, which may or may not be deployed by organisations.
We’ve seen many critical vulnerabilities over the years. None inspires shock, horror, disbelief (all the hallmark emotions of a betrayal), quite like Intels’
Hypothetical question: What if Intel Security, hadn’t rebranded themselves as “McAfee” again, but remained as “Intel Security”?
Here’s something for the conspiracy theorists too: How Long had Intel known about the flaws, before they made it public knowledge?