We’re only four days into 2018, and cyber security is already dominating headlines. Earlier today, multiple news outlets reported on the discovery of vulnerabilities in chips from Intel, AMD, and ARM.
The vulnerabilities – dubbed Meltdown and Spectre – are fairly serious. An attacker can use them to steal all kinds of information, including things like passwords, encryption keys, user data, and more. And the vulnerable chips are used in many devices. For example, the BBC reports that Intel chips are used in 80 percent of desktops and 90 percent of laptops.
In practical terms, the widespread use of the vulnerable chips means the issue affects nearly everyone.
With that being said, the situation is not serious enough for you to throw your devices out the window and stop using the internet. Here’s a couple of things end users should keep in mind.
Nobody’s exploiting these vulnerabilities…yet
As of now, there are no reports of actual attackers exploiting these vulnerabilities. And that’s good. Everything known so far is based on information and proof-of-concepts published by security researchers.
However, that doesn’t mean that attackers won’t use them in the future, so it’s important for people to be aware of and take steps to protect themselves.
Which brings up the second point…
Updates are on the way, but things could get messy
Fixing vulnerabilities in chips with software isn’t easy. But that’s what’s happening now. Many operating systems already have updates available. But updates can be messy. For example, Microsoft announced today that its update may have compatibility issues with some antivirus software (F-Secure has already updated our products to ensure they’re compatible), which can delay the update process for end users.
According to F-Secure’s Chief Technology Officer Mika Stahlberg, mitigating the vulnerability can have far-reaching consequences, potentially making Meltdown and Spectre impactful even if they’re never used by attackers.
“What makes these vulnerabilities so interesting and dire is the fact that they’re about CPU optimization. Securing this logic requires hardware changes or changes to related software logic — both of which can hurt performance and increase cost of computing,” says Mika. “The impact on operating environments alone could be enough to make these the most expensive vulnerabilities in history, even if there are no real world attacks.”