I participate in IT professional industry forums, where peers ask questions of other peers. Someone in the forum made a somewhat disjointed post questioning the severity for the recent Meltdown and Spectre security vulnerabilities. I paraphrase his long question:
About Meltdown and Spectre? I’ve seen a few posts in here about it, and tons of articles on the web….all the articles speculate on various exploit risks. I’m an IT guy, but not an engineer at the level of some of you guys. I’m posting this in all seriousness. I don’t grasp the difference yet… yes, the issue is with the hardware that can’t be changed (like bad code in a program), but doesn’t software have to access the hardware to take advantage of the exploit? Please, no flames, I just want to know how to position myself for my clients and what to say to them, to be as completely protected as possible. Thanks.
Off the top of my head, there are a number of concerns I have about why this is such a big deal. But, I am sure there are many other legitimate reasons.
Here they are in short summation:
- The breadth of the flaw affects essentially every person and company owning PCs, laptops, tablets, phones, and who knows what else.
- It affects virtually all operating systems, hosts, and virtual machines.
- It affects nearly all processors made from 1995 to today.
- If you are in a shared cloud environment, it could be your neighbor on the same host who gets infected and compromises your system. Or, it could even be a bad guy signing up for cloud services to exploit neighbors on the host they share with him.
- Nearly all applications and browsers are affected at this time.
- Fixes for such a universal problem will take more than a decade to completely eradicate. Therefore, for years to come we are going to be hearing about breaches related to this problem, because we all know there are millions who will do nothing to secure their systems. Others will be responsible, but it only requires missing one system. When you have hundreds or thousands of systems, it takes diligence not to miss stuff in existing deployments or not to miss something in a new deployment.
I could go on, but clearly this is a widespread, undiscriminating problem that will prove to have endurance throughout years to come.