The news went public last week of the discovery of two major vulnerabilities with widespread impact, affecting personal computers, mobile devices, and cloud services. “Meltdown” allows user applications (like browsers) to access kernel memory, normally reserved for the operating system. The “Spectre” vulnerability exploits techniques normally used to speed up processing, and tricks other applications into revealing information in their memory structures. The major web browser providers are issuing patches as a first line of defense. Initial concerns were that operating system fixes could slow processing by up to 30%. Of most concern are cloud services; while there is no indication that the exploits currently available could work against these platforms, companies are taking the threat seriously and doing everything they can to contain it.
- Researchers Discover Two Major Flaws in the World’s Computers [New York Times | Cade Metz & Nicole Perlroth] “To take advantage of Meltdown, hackers could rent space on a cloud service, just like any other business customer. Once they were on the service, the flaw would allow them to grab information like passwords from other customers. That is a major threat to the way cloud-computing systems operate.“
- Microsoft reveals how Spectre updates can slow your PC down [The Verge | Tom Warren] “Microsoft is essentially warning server customers to make a tricky choice between security and performance.”
- Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it [Ars Technica | Peter Bright] “Longer term, it seems likely that Meltdown will recede into the distance—an annoyance, perhaps, but fully patched and protected against—but the rather more subtle Spectre is going to be with us for a while.“
- Microsoft pauses AMD updates for Spectre and Meltdown after consumer issues [Washington Post | Hamza Shaban]
“Microsoft appears to pin the blame on the faulty updates with the manufacturer. ‘After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.'”
From the Ohio Web Library:
- Crosman, Penny. “What Bankers Need to Know about Meltdown, Spectre Chip Flaws.” American Banker, vol. 183, no. 6, 09 Jan. 2018, p. 1.
- Fox-Brewster, Thomas. “Will Huge Chip Vulnerabilities Lead to Mass Intel, AMD and ARM Recalls?” Forbes.Com, 04 Jan. 2018, p. 1.
- White, Jeremy B. “Spectre and Meltdown Bugs Affect ‘Almost All’ Mac and iOS Devices, Says Apple.” Independent (UK), 06 Jan. 2018.
