Inc Magazine, January 18, 2018, comments by Satya Gupta;
'Meltdown' and 'Spectre' vulnerabilities present a fresh attack vector -- accessible on every type of computing device.
When the news about the Meltdown and Spectre vulnerabilities came out a couple weeks ago, the fix was supposed to be routine patch applications from the proper prominent vendors in question (Google, Amazon, Microsoft, Apple, and so on). Just install the fix and all would be well. But not so fast. Literally. Turns out the patch is costly and disruptive and once complete, slows system performance considerably. Microsoft acknowledged last week that Windows servers could significantly be impacted.This of course is not sitting well with customers. Some are considering moving to competitors, pressuring Intel for discounts or other options.
"The problem was created because chip manufacturers found clever ways to improve chip performance, while inadvertently leaving backdoors to the inner sanctum -- where processing takes place on the chips," Satya Gupta told Inc Magazine. Mr. Gupta is the founder and chief technology officer of Virsec Systems, a supplier of application security systems.
"Even though chip performance has grown exponentially over the past 20 years, it's never acceptable to force customers to take significant steps backwards in performance," observes Gupta.
Full resolution of the problem could take years. Meltdown and Spectre are two memory corruption flaws where hackers can break into a system by bypassing operating systems and security software. Once in, the hackers can steal encryption keys and passwords. These vulnerabilities are now present on just about all types of devices – computers, smart phones, and servers in the cloud.
The problem exists because developers at the time these chips were designed made choices that would enhance speed and performance at the cost of security. But at the time, the security threats we have today were not even conceived of so they couldn’t have imagined the risks. But reversing the flaw now, which the patches effectively do, removes the performance advantages and slows systems down.
This situation is similar to one that occurred in 2014 when open-source flaws called Heartbleed and Shellshock were discovered. In those cases, the issues were in the hardware during coding development in 1987. The vulnerability effects Bash (Bourne-Again Shell), a program for users typing commands on devices using Unix, Linux, Apple and Android operating systems.
For Meltdown and Spectre, so far, no reports of hackers exploiting this vulnerability in the wild have surfaced. But you can bet hackers are working on it. But now that organizations have been forewarned, will they use this heads-up time to forearm themselves?
Read full Intel Chips Could Ignite Next-Gen Hacking article
