2018 started with a bang for those in cyber-security — and almost everyone else running a device that uses an Intel, AMD or ARM chip made from the mid-nineties till today. News broke (and spread like wildfire) that three security flaws, named Spectre (Variant 1 and 2) and Meltdown, could be exploited by ransomware and other malicious code to extract sensitive information by utilizing the chip's way to speed up processing.
The intricacies of how this works and why this has not been made known before have been discussed at large by much bigger cyber-security experts than myself. After giving you the must-know facts about Spectre and Meltdown, I'd much rather focus on who's affected, how to fix it, at what cost, and how to prepare for the future when other decades-old flaws are found.
What Are Spectre & Meltdown?
Modern Intel, AMD or ARM chip processors built in the past 20 years use what is called "speculative execution." This process is designed to maximize the processing speed by predicting what the user will need to do next before he or she even asks for it. The processor, instead of stopping at a yes/no condition, will execute both. The wrong decision gets stored temporarily in a cache, including sensitive information such as browser history and passwords.
Out-of-order execution is another way modern chips maximize speed. The chip determines the most efficient way to execute code and therefore can execute several steps ahead. Again, any falsely performed are sent to cache.
This behavior has resulted in two known vulnerabilities: the chip is executing commands without checking the validity of the request, and the temporarily stored data is not encrypted anymore.
A potential Meltdown attack would be looking for any unencrypted data stored in the cache from these out-of-order executions. It is not targeting any specific data, but instead gathers what it can. An attack leveraging the Spectre vulnerability, on the other hand, would induce the victim's processor to perform an irregular speculative execution, meaning it would lead the processor astray on purpose and then leak the sensitive data.
Who Is Affected?
Speculative execution and out-of-order execution in processor chips were not closely-guarded industry secrets. Anyone who took a computer class in college and learned about processor speed would have become aware of this potential vulnerability.
While chip manufacturers and operating system providers are scrambling to provide fixes and patches for this vulnerability, hackers are equally clambering to create malicious attacks to exploit these security flaws.
Because almost every Intel chip made since the mid-nineties — except some Intel Atom and Itanium chips — uses speculative and out-of-order execution, Meltdown affects nearly anyone running a modern device with an Intel chip. Spectre can take advantage of the Intel chip exploit, as well as AMD and ARM chips.
In essence, anyone running a modern PC, Mac, iPhone, or Android phone is at risk — even cloud servers are not safe since they are typically running virtual machines from one physical computer.
How To Fix It And The Pitfalls Associated With It
Patches are widely available now — with more being developed
However, they do come at a price: the performance of your machine. Simply put, the older your device and the older your OS, the more significant the decrease in performance. According to Microsoft, most users running Windows 7 or 8/8.1 will notice a significant slowdown. Some users on older machines running Windows 10 will notice a slowdown, while users with the latest CPU chipset on Windows 10 will probably not notice a significant difference.
Part of the decision to update and incur noticeable performance slowdowns is partially dependent on how many third-party applications your organization runs that could be exploited. If you are running mainly in-house programs, deferring these fixes might not pose as big of a security risk.
However, most organizations have applications running that can be exploited and eventually you will need to update. As of now, Windows Update is not pushing out these patches to machines, which could be because there has been no known case of these attacks seen in the wild yet.
What Is The Security Advice?
With such a widespread issue, but no known attacks yet, rushing to upgrade might do more harm than an attack. With all the patches and fixes that have been released so far, besides noticeable slowdowns, Intel's own patches have several bugs in them. Read here for more info on the problems with the patches that have been released.
This is not to say that you should just wait several months for all patches to be released and all bugs to be worked out. It is always a good idea to use common sense and take security precautions, such as reviewing currently in use third-party apps, cloud services, and browsers and temporarily eliminate unpatched or problematic ones.
How To Avoid A BAU Disruption
While it is not possible to predict how many future flaws will be discovered in the next few years, an incident like this serves as a reminder that something of this scale could be discovered again and leave large organizations scrambling.
And the consequences of a slowed-down IT environment are severe!
As previously discussed, even a small computer distraction (update, slowdown, install, etc.) to a millennial employee could lead to a half an hour of non-productive time waste. Another study found that IT issues cost UK businesses the equivalent of $1 million to $60 million a year, depending on company size. However, 95% of that cost is caused by loss of productivity (78%) and lost revenue (17%)!
Therefore, the Spectre/Meltdown fixes could cause major disruption to your Business-as-Usual operation and potentially impact your company's bottomline.
Tackle The Fix Slowdown Problem With Dashworks
This is a great example of where Dashworks puts you in a position of power. Using Juriba's IT Transformation Management platform, you can deal with the current microprocessors chip issue, as well as future flaws. If your organization is still running on Windows 7 or 8, the time to upgrade has arrived.
Even though extended support for Windows 7 and 8 ends in January 2020 and 2023 respectively, the slowdown of your devices will cost your company millions of dollars in time.
Not only can Dashworks make the process of migrating to Windows 10 more efficient, it does so much more to help you understand how much of your legacy estate will be affected by the slowdown fix. It can help you manage your patch rollout, especially where other readiness items need to be considered. You'll know:
- How many PCs are running on which chipset, so which ones are most affected
- How many, and which, 3rd-party apps are running so you can see which ones are most vulnerable
- Which devices are woefully out-of-date and are already running at a significant performance lag
- Which devices need which patches, or have the patches already installed
And since Windows 10 is a Windows-as-a-Service OS, using Dashworks' central command and control will keep you up-to-date with the twice-a-year feature updates and monthly security updates. Using Dashworks to simultaneously update both your OS and hardware will help you navigate through the Spectre variants and Meltdown so there is as little distraction to your BAU as possible.