This week, a pair of vulnerabilities broke basic security for practically all computers. That’s not an overstatement. Revelations about Meltdown and Spectre have wreaked digital havoc and left a critical mass of confusion in their wake. Not only are they terrifically complex vulnerabilities, the fixes that do exist have come in patchwork fashion. With most computing devices made in the last two decades at risk, it’s worth taking stock of how the clean-up efforts are going.
Part of the pandemonium over addressing these vulnerabilities stems from the necessary involvement of multiple players. Processor manufacturers like Intel, AMD, Qualcomm, and ARM are working with the hardware companies that incorporate their chips, as well as the software companies that actually run code on them to add protections. Intel can’t single-handedly patch the problem, because third-party companies implement its processors differently across the tech industry. As a result, groups like Microsoft, Apple, Google, Amazon, and the Linux Project have all been interacting and collaborating with researchers and the processor makers to push out fixes.
So how’s it going so far? Better, at least, than it seemed at first. The United States Computer Emergency Readiness Team and others initially believed that the only way to protect against Meltdown and Spectre would be total hardware replacement. The vulnerabilities impact fundamental aspects of how mainstream processors manage and silo data, and replacing them with chips that correct these flaws still may be the best bet for high-security environments. In general, though, replacing basically every processor ever simply isn’t going to happen. CERT now recommends “apply updates” as the solution for Meltdown and Spectre.
As for those patches, well, some are here. Some are en route. And others may be a long time coming.
“Everybody is saying ‘we’re not affected’ or ‘hey, we released patches,’ and it has been really confusing,” says Archie Agarwal, CEO of the enterprise security firm ThreatModeler. “And in the security community it’s hard to tell who is the right person to resolve this and how soon can it be resolved. The impact is pretty big on this one.”
Meltdown, a bug that could allow an attacker to read kernel memory (the protected core of an operating system), impacts Intel and Qualcomm processors, and one type of ARM chip. Intel has released firmware patches for its processors, and has been working with numerous manufacturers, like Apple and HP to distribute them. Intel has also coordinated with operating system developers to distribute software-level mitigations. Patches are already out for recent versions of Windows, Android, macOS, iOS, Chrome OS, and Linux.
‘It’s hard to tell who is the right person to resolve this and how soon can it be resolved.’
Archie Agarwal, ThreatModeler
The other bug, Spectre, involves two known attack strategies so far, and is far more difficult to patch. (And in fact, it may be impossible to defend against it entirely in the long term without updating hardware.) It affects processors from Intel, ARM, AMD, and Qualcomm. Browsers like Chrome, Firefox, and Edge/Internet Explorer all have preliminary Spectre patches, as do some operating systems. But Apple, for example, has said it is still working on its Spectre patches, and hopes to release them within a few days.
“One of the most confusing parts of this whole thing is that there are two vulnerabilities that affect similar things, so it’s been challenging just to keep the two separate,” says Alex Hamerstone, a penetration tester and compliance expert at the IT security company TrustedSec. “But it’s important to patch these because of the type of deep access they give. When people are developing technology or applications they’re not even thinking about this type of access as being a possibility so it’s not something they’re working around—it just wasn’t in anybody’s mind.”
Cloud providers like Amazon Web Services are working to apply patches to their systems as well, and are grappling with corresponding performance slowdowns; the fixes involve routing data for processing in less efficient ways. Google released a mitigation called Reptoline on Thursday in an attempt to manage performance issues and has already implemented it in Google Cloud Platform.
The average user shouldn’t see significant performance changes from applying Meltdown and Spectre patches, except perhaps with processor-intensive tasks like video editing. It even seems like gaming won’t be significantly affected, though the vulnerabilities exist on so many chips going back so far that it’s hard to say for sure.
Consumers frustrated with the risk the vulnerabilities pose and their potential impact have brought three class action lawsuits against Intel so far, filed in California, Indiana, and Oregon.
Everything That’s Left
Though many of the most prominent manufacturers and software makers have taken steps to address the issue, countless smaller vendors and developers will inevitably become stragglers—and some may never directly address the flaws in their existing products at all. You should be especially vigilant about applying every software update you receive on your devices to reduce your risk—but don’t bank on your four-year-old router ever getting an update.
Experts also note that the rush to push out patches, while necessary, makes the ultimate efficacy of these early updates somewhat suspect. There hasn’t been much time for extensive testing and refinement, so slapdash fixes may not offer total protection, or could create other bugs and instabilities that will need to be resolved. This process will play out over the next weeks and months, but will be particularly significant in industrial control and critical infrastructure settings.
“You can’t bring down a power grid just to try out a patch,” says Agarwal. “Industrial systems, hospital machines, airline control systems—they will have to wait. They can’t just patch and hope that things will work out.”
Meanwhile, actors looking to exploit Meltdown and Spectre will be hard at work perfecting attacks—if they haven’t already. So far there is no evidence that either vulnerability was known and exploited in the past, but that can’t serve as definitive assurance. And attackers could find novel ways to exploit either bug, particularly Spectre, that could circumvent the patches that do come out.
Security researchers say that the vulnerabilities are difficult to exploit in practice, which may limit its real-world use, but a motivated and well-funded attacker could develop more efficient techniques.
Slapdash fixes may not offer total protection, or could create other bugs and instabilities that will need to be resolved.
Though possible, exploiting Meltdown and especially Spectre is complicated and challenging in practice, and some attacks require physical access. For hackers, the vulnerabilities will only get tougher to exploit as more devices start to get patched. Which means that at this point, the risk to the average user is fairly low. Besides, there are easier ways—like phishing—for an attacker to try to steal your passwords or compromise your sensitive personal information. But more high-value targets, like prominent businesses, financial institutions, industrial systems and infrastructure, and anyone a nation state might be after will all have reason to be concerned about Meltdown and Spectre for years to come.
“The serious thing for me is the unknown,” TrustedSec’s Hamerstone says. “There may be attacks in the wild, so not knowing what’s coming and not knowing how something is going to be exploited is tough.”