There’s recently been a lot of media attention around two vulnerabilities in computer chips. The vulnerabilities, given the ominous titles “Meltdown” and “Spectre,” exist in nearly all microprocessors made since 1995 — meaning they are found in nearly every popular business computer, home computer, and other devices such as smartphones and tablets.
One of the biggest challenges with cybersecurity is putting perspective to the severity of issues. Bugs and vulnerabilities that receive logos, names, and headlines usually result in a big – and often out-of-proportion – reaction. There’s no arguing the fact that these vulnerabilities are significant and should not be taken lightly. But, before you start to panic, the situation sounds a lot worse than it is. There is always a balance of “probability and exploitability” that businesses should consider in determining how likely they are to fall victim any cybersecurity vulnerability.
What are Meltdown and Spectre?
Both Meltdown and Spectre are hardware vulnerabilities in computer chips (microprocessors) that allow a non-privileged user to access information on the computer that they shouldn’t be able to access. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to access secrets stored in the memory of other running programs, which might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages, and even business-critical documents. This is a particularly big problem for cloud services like Microsoft Azure and Amazon Web Services, where multiple “tenants” use the same physical hardware.
Meltdown and Spectre require a high degree of sophistication, time, and luck for hackers to be able to exploit. These vulnerabilities have been around for 20 years and are something that both researchers and government agencies have been aware of for at least six months, yet we haven’t heard of any active exploits in the wild.
How Do I Protect Myself?
This is where things get complicated…
All major hardware and software vendors have released patches that address Meltdown and Spectre in the weeks since the disclosure of the vulnerabilities. In the case of Microsoft, its patches for Windows require that your antivirus software to updated to ensure Meltdown/Spectre updates won’t crash your computer (users of Colden Company’s Managed Antivirus are compatible with Microsoft’s updates). Intel released – and then retracted – updates to its microcode (software that runs the processor), and Microsoft then released an emergency update to fix the problems that Intel’s buggy updates caused.
The updates can be more impactful on computers (particularly servers) running older Intel processors and/or certain workloads, where updating to mitigate Meltdown/Spectre has the potential to reduce performance between 5% and 30%. The performance impact is very dependant on what software is running on the computer. Microsoft attempted to add some clarity to the potential performance impacts in a recent blog post.
To get back to the question of how you protect yourself and your business, Colden Company recommends patching – and not panicking – as reliable patches are made available from hardware and software vendors. Ask yourself how quickly you can reliably apply known-good and tested patches from reliable vendors, especially on critical systems.
Use the following steps to guide you down a good path to mitigating Meltdown and Spectre.
- Update antivirus software to ensure Meltdown/Spectre patches from Microsoft aren’t blocked.
- Update operating systems with relevant patches.
- Update hypervisor hosts, guest OSes, and cloud instances.
- Update system BIOS / firmware.
- Update web browsers where applicable.
- Check for updates to other applications and peripherals.
If even the above steps seem daunting, our best recommendation is to partner with experts at Colden Company to help ensure your business is protected.
The scope of this issue is huge. According to a survey of 500 IT professionals by IT organization Spiceworks, 70% of businesses report they continue patching despite the guidance from Intel to stop. 46% of companies have reported performance degradation, 26% are dealing with system “hangs” and freezes, and 22% are experiencing issues with computers not rebooting properly after the patches are installed. Costs from the mitigation effort also mounting for some companies. 29% of companies with more than 1,000 employees said they expect to spend more than 80 hours addressing the flaws, and 18% said they expected to spend more than $50,000.
While exploiting either Meltdown or Spectre requires a high level of sophistication, it’s still early days, and incidents that take advantage of Meltdown and Spectre will be inevitable. Laptop and desktop workstations are at the greatest risk, so make sure that you’re current with Microsoft patches as they’re released. You should be diligent about patching all systems and mobile devices. Work with your cloud providers and business partners to ensure they have a mitigation plan. Don’t worry, don’t panic, but be diligent and be sure to install patches as soon as they become available for your specific operating systems and devices.
This is a complicated topic and can quickly become overwhelming. Give the experts at Colden Company a call and let us help you protect your business against these and other cybersecurity risks. Call us at 888-600-4560, email us, or visit us on Facebook or Twitter.