<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Meltdown and Spectre: The Holy Grail of Vulnerabilities

Posted: 17 January 2018

Meltdown Spectre: The Holy Grail of Vulnerabilities

Just when we thought it couldn’t get any worse, yet another vulnerability has been discovered, but this time embedded into physical hardware. The threat is so severe that if used correctly, a simple action like running a computer program could allow someone to steal sensitive information such as passwords and credit card details. And guess what? Not a single piece of IT security software will save us. But hey, there is a patch for it...

Introducing Meltdown and Spectre

The Meltdown and Spectre vulnerabilities have been comprehensively covered by The Register, Wired, Krebs and many other blogs, but I won't dive deep into the mechanics of it. There is also a dedicated website devoted to the bug, where we can even find academic papers showing us how to implement an exploit, plus the etymology of the names 'Meltdown' and 'Spectre'. Apparently Meltdown melts security boundaries between software and hardware and Spectre will haunt us all for a long time. Those are not friendly descriptions but we don't expect them to be because they aren't and unfortunately their impact affects us all.

Let’s talk CPU shall we?

We live in an era where schools should have been teaching electronics as a mandatory requirement for many years now. Instead, a large part of our society know very little about computer mechanics or technology in general, thus don’t realise the scale and impact of Meltdown and Spectre. Do you know what CPU does, how it works, and what it is used for? Perhaps it's time for you to find out...

Essentially every modern CPU is affected by Meltdown and Spectre and can be exploited by someone with malicious intent. It almost sounds like a perfect back door for those into conspiracy theories, like a government agency implementing a back door into every CPU in order to control all of us... Or maybe it is just a genuine error made by all major hardware manufacturers? Was this vulnerability exploited already? For me as an IT security consultant the question is for how many decades will we hear about this vulnerability being used by inglorious hackers and how long will it take to fully patch every system? We have to act quickly and we have to be consistent.

The Vulnerability Patch is out there…

Good news is that the patch for Meltdown and Spectre has already been released and if you've not done so already, it's strongly recommended you initiate a system software update on your computer. This software update was already released by major software vendors and in order to fix a hardware issue, we use software to cover for it. Software and hardware are best buddies when it comes to Meltdown and Spectre - at least for now, as it's rumoured that the next generation of CPU's will have this security issue fixed and my guess is that it will stimulate sales of the latest CPU's. There are also many reports claiming that the software patch will slow down the computers whilst others say that the impact may not be so bad. In the end time will tell.

All in all, the economy will move forward, the rich become richer, bad guys have a new weapon for stealing data from us and once again, it's us who are vulnerable and who will have to spend more money on protecting our systems, so who is the winner?

Prepare for GDPR 11 step checklist

Chris Galazka Technical Consultant, Infinigate UK
Posted by: Chris Galazka
Technical Consultant, Infinigate UK

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts