Meltdown and Spectre – Where Are We?

Meltdown and Spectre – where are we?

We are currently in a very strange place for business IT. At the start of January we all heard about the Meltdown and Spectre vulnerabilities that affect most modern computer chips.

At this point we would normally be sharing advice on what to do to protect affected systems. The trouble is, the current cures could be worse than the sickness.

Chip makers and hardware manufacturers have rushed to respond to a fundamental flaw in their systems. You would expect them to do this. Sadly, they seem to have been precipitous in many cases. The ‘fixes’ are being installed by users and admins, only to find out they have a problem where none existed before.

Computers are rebooting, slowing down or acting strange in many other ways because of the updates. This is particularly galling because in each case it’s an attempt to fix an issue that wasn’t actually manifesting itself in any way.

Meltdown and Spectre are vulnerabilities which have been identified but were not known to have been exploited yet, which makes it hard for busy people who have not suffered any problems to take the situation particularly seriously.

But it is serious. These chips, which power everything from graphics cards, to cash machines, mobile phones and the laptop on your desk, are now at risk from a known fault. It has to be addressed with urgency, it’s just that the current resolutions are generally making things worse.

Deep Problem

That’s a sign of how deep the problem goes. Normally someone finds the flaw in the code and a fix is written. This is so fundamental to the chips that it’s really hard to mend it with new code, so the attempts that are being made are floundering.

What’s even worse is that Meltdown and Spectre are not the same thing. They are different problems needing different solutions.

And that leaves us where? In a place where caution is better than untested action.

Before we start applying patches in scattergun approach, we need to look at what can be patched, how critical it is to the business, how well proven the fix appears to be, whether other setting need to be changed to complement the patch, etc, etc.

The urgency will increase if exploits of these vulnerabilities start to appear ‘in the wild’. That’s something we have to keep a close eye on. The last thing our clients needs though, is to have us ‘fix’ something, which then works less well than it did before and impacts the business on a daily basis.

Some people may disagree with this approach. But we tend to believe that no fix is better than a bad one. We will keep you updated as this develops.