IT WAS THE NEW YEAR’S PRESENT no one wanted: a hardware flaw in processor architectures from Intel, AMD, ARM Holdings, and other manufacturers. Nearly every CPU made since 1995 is at risk, including those at the heart of desktops, laptops, servers, phones, tablets, and Internet of Things devices. Everything built on top of them, including cloud services, could also be compromised.
The problem is “speculative execution,” a feature that modern chips use to accelerate processing by anticipating what programs will do next and preparing the results in advance. Two exploits called Meltdown and Spectre use flaws in that capability to access data in ways normally not allowed. Meltdown breaks through barriers between a program and the operating system kernel. Spectre lets one application trick others into leaking sensitive information. Neither of the exploits has been found outside labs yet.
“They might end up being hard exploits [to use], so we don’t know how deep the impact will be,” says Oli Thordarson, CEO of Alvaka Networks, a solution provider and MSP in Irvine, Calif.
Since the underlying problem resides at the silicon level, however, users may be dealing with its ramifications for years to come. OS, BIOS, and firmware vendors have scrambled to release updates, but in some cases ended up creating other complications along the way. One Intel firmware upgrade, for example, caused some systems to experience a higher number of system reboots.
Patches mitigating Meltdown and Spectre issues are also expected to levy a significant performance hit, slowing software that is “highly interactive” with disk or network I/O by up to 30 percent, according to Carrie Wheeler, COO of Lansing, Mich.-based web hosting company Liquid Web Inc.
Problems like those have caused companies such as Alvaka to warn their customers against rushing out patches. “At this time, the risk of doing updates is potentially greater than the threat,” the company’s website says, adding that “we expect this situation to resolve itself shortly.”
Kevin Beaver, an information security consultant with Principle Logic LLC, of Acworth, Ga., also advises businesses to cool their heels for now. “When you look at the bigger picture of security, there are so many more important things,” he says, citing routine OS and application patching as examples.
According to Thordarson, channel pros would be wise to check their contracts anyway. “In some cases, they’re going to be obligated to shoulder the entire burden to go out and assess the entire [processor] inventory,” he says. MSPs and cloud providers with heavy disk or network I/O might need to quickly replan their capacity too.