Posted by Tim Luzadder, TCC Enterprise Infrastructure Director
As if software vulnerabilities were not enough, at the end of 2017 three new security weaknesses were publicized. Two were lumped together under the name Spectre and the third was called Meltdown. The announcement made a huge impact in the IT world because even though there are no known exploits of it at the time of this writing, the potential impact is catastrophic as they effect almost all Intel chips on computers AND phones made in the last 20 years.
The “flaws” are actually design elements that make the chips run faster, but can, in fact, expose data in the name of efficiency. What makes the problem so dramatic; is that the issue exists in the hardware architecture itself, so cannot be changed. It can be patched; however, that will make the chip run slower, so there is a cost to performance. One benchmark sets that slow down around 5 to 10%, but it can be up to 30%. And unfortunately, some patches caused some of the chips to not restart and so have been pulled for the moment.
Another aspect of the problem is that some software that was once secure, may not be. The fundamental assumptions that went into the security coding are no longer true. Most vendors are releasing patches and most cloud vendors have already applied them. However, some machines, especially any running older OS’s like Windows XP will almost certainly never be patched and will therefore remain vulnerable.
Who is affected? Everyone. This affects pretty much every device with an embedded computer chip from computers and phones to refrigerators and nanny cams. Because of the sheer size of the effort and the fact that this choice in how the chip is structured has been there for decades, a permanent fix involves a new circuit board.
One primary vector of the threat is that JavaScript on a web site could use Spectre to trick a browser into revealing username and passwords. So, it is vitally important that you keep your browsers up to date.
Contact TCC for assistance in developing remediation plans. Please visit our website https://www.e-tcc.com/managed-services.
Technology, Process and Expertise 