What Should You Make of the CPU Security Crisis?
Meltdown and Spectre, a series of hardware-level exploits disclosed last week, led to a collective freak-out in the tech world. The issues, mostly with Intel processors but affecting almost every major type of CPU, definitely are serious, but what do they mean for your association?
In 1994, a math professor unwittingly came across what would prove to be a costly headache for the chip giant Intel—a bug in the way that the floating point unit in Intel’s Pentium chip divides numbers.
The problem was seen in retrospect as perhaps a bit overblown—it was not a situation that most computer users would run into on a regular basis—but it still ended up costing Intel hundreds of millions of dollars.
The flaws recently revealed in popular lines of processors promise to affect users a lot more than that old floating-point bug, especially if they don’t upgrade their devices.
Last week saw the revelation of two separate bugs, one specifically targeting Intel devices, nicknamed Meltdown, and another affecting chips by both AMD and the widely used ARM platform, along with Intel, called Spectre. Both affect processors made over a 20-year period, involving the processors’ handling of something called speculative execution, a technique that allows for faster processing but also created massive security holes that promise to be with us years from now.
The bugs are significant enough that they’ve earned their own names and logos, and each is believed to enable attackers to access sensitive data at the hardware level. A piece of malware could, theoretically, grab passwords or other sensitive data at a very low level within the system. The bugs, in this way, have parallels to the Heartbleed bug, except at the hardware level.
Much has been written about these flaws, and early on, the news about Meltdown in particular—reportedly first discovered months ago by Google researchers—had a lot of people freaking out and struggling to explain what it does.
Fortunately, we’ve had a few days to digest this news, and while Intel will surely be dealing with the fallout for some time, it’s looking like Meltdown and Spectre, at least in the short term, will be more of an ongoing security annoyance than a code-red crisis—as long as you’re on top of tech security issues in your organization.
So, what does this mean for your association’s IT department? A few quick takeaways:
Now might be a good time to hold off on buying new machines. Since this is a hardware problem, it’s going to take Intel and other manufacturers some time to solve it—so if you’re in the market for a new computer, it may be wise to wait. In particular, it may be prudent to hold off on a noncritical purchase of a machine with an Intel processor, as Intel plans to implement fixes to Meltdown in its hardware. While Intel has software patches going to the machines already on the market, those are said to slow down certain operations, and it’s possible that Intel will be able to solve the Meltdown-related security issues in later iterations of its chips. At the same time, the issues may simply be unavoidable, particularly as Spectre affects a much broader array of products—including some versions of the iPhone and iPad, along with connected devices that use the ARM architecture. Which of course means …
Expect to do a lot of patching in the coming weeks. While it’s clear that software can only do so much about a fundamental hardware-based issue, the Meltdown and Spectre scare highlights why it’s so important that your organization have a well-considered approach to security and updates. In the longer term, more patches could be necessary, and because Intel and other processor makers are at the mercy of third-party software vendors, it might take a while for your connected devices to get patched. Hey, it could be worse: As Wired notes, the United States Computer Emergency Readiness Team initially believed the only effective way to solve the Meltdown problem was to replace the hardware entirely. In that light, patching is definitely a nice alternative.
Cloud computing resources are likely to see some hiccups. Want an idea of how bad Meltdown could be for cloud computing? Look to the world of gaming. Big-name publisher Epic Games, for example, has run into a lot of problems over the past few days due to the way patches have affected servers for its popular title Fortnite. It’s a high-profile example of what may become the most visible problem caused by Meltdown in particular: Cloud computing exists to make processing power available to the public, and now the exploit—and its necessary patch—promise to make that processing power, well, less powerful. While big players and small have been working on solutions for the flaws, the speed issues related to patches will be particularly felt on the cloud, as database software and web servers are likely to face the strongest effects from such patches. This could mean that your cloud computing dollar might not go as far.
This is not an ideal situation by any means, but if your IT department is staying on top of security issues, you might be able to keep your head above water. But expect a few headaches. (And I would expect the tech industry to learn a lot from this crisis, as it did with Heartbleed.)
Just because it’s called Meltdown doesn’t mean you actually need to have one.
(yorkfoto/iStock Unreleased/Getty Images Plus)