Dive Brief:
- The only solution for the two security flaws circulating the tech sphere, known as Spectre and Meltdown, is to replace all CPU hardware, according to the Computer Emergency Readiness Team (CERT). The exploits allow access to "otherwise protected kernel memory and [bypass] KASLR," according to the report. Patches only mitigate risk.
- Thus far, CERT said vendors including AMD, Apple, Google, Intel, Microsoft and Mozilla are affected. The vulnerability is said to have been around for more than two decades in "modern processor architectures," according to Amazon. However, while nearly all of AWS is protected, AWS customers are advised to follow patching protocols. By the end of next week, Intel expects to have updates and resolutions for about 90% of its processors made in the last five years. The company maintains any performance slow-downs after an update are workload-related.
- ARM confirmed that its chips, used in Android, iOS, Nvidia and Sony devices, are impacted by the flaws. The company gave directions to individuals with devices containing exploited chips and offered kernel patches to mitigate threats. Google's infrastructure, including YouTube, Maps and Search, was impacted by the vulnerability, but no consumer action is needed, according to a company announcement. However, owners of Google Chrome OS and Android devices are advised to take necessary actions.
Dive Insight:
The tech world went into hysterics this week as nearly all computer-owning consumers were "most certainly" impacted by the bug, according to Google contributors and third-party researchers.
The severity of the bug is not limited to its scope. Researchers found that the flaw left no traces in "traditional log files," making it near impossible to know if a computer's memory was exploited. Meltdown specifically targets desktop, laptop and cloud computers and nearly all Intel processors since 1995, with some exceptions. Spectre, however, affects smartphones and modern processors.
Exploiting vendor trust and disrupting the supply chain are tactics malicious actors are sure to capitalize on in 2018. The widespread attention to this "speculative execution"-style attack is forcing companies to put out patches to protect their consumers.
As of now, IT departments need to search their networks for devices with compromised chips. If overhauling a device's internal hard drive cannot be performed in a time-sufficient manner, coupling security updates with firmware updates is imperative. However, PC vendors have yet to release firmware updates.