We all knew it wouldn’t be long before the next major computer security vulnerability scare would emerge, but I must admit this latest is a doozy – both in its timing and scope. Known collectively as Spectre and Meltdown, the bugs exploit flaws in microprocessors (especially Intel). Even Mac and iOS users, who often get a pass on the majority of security threats are vulnerable, Apple admits. Because the processors are implemented differently throughout the tech industry, Intel, AMD and other processors must coordinate the fix with large groups like Amazon, Apple, Google, and Microsoft. Not only do they all have to collaborate, but the fix also has to be tested. For mission-critical scenarios such as industrial systems, hospital machines, and air traffic control systems which have nearly zero tolerance for downtime, there’s going to be many difficult conversations ahead. Some are saying the Spectre bug, which is more difficult to patch than Meltdown, may be impossible to debug entirely without a hardware update.
Speculative Execution: Where Spectre and Meltdown Strike
To better understand these bugs, one must first understand a bit about a typical computing process called “speculative execution.” In simple terms, it’s a process where repetitive commands are anticipated and stored in a designated part of the processor’s memory, which enables computers to operate more efficiently. This particular temporary memory holding cell is where Spectre and Meltdown seek to intercept sensitive information.
Cloud providers like Amazon Web Services are trying to apply patches to their systems quickly, but initial results show performance slowdowns due to the necessity to route data in less efficient ways. Experts predict it’s going to take some time for vendors to collaborate and come up with fixes that strike a balance between improving security without compromising performance.
3 Things ISVs Should Do About Spectre and Meltdown
Like nearly any new potential threat, there’s practical steps to minimize risk. Here are three things ISVs should keep in mind with these threats:
- The basic tenants of security still apply. Cybercriminals prefer to go after low hanging fruit, which in this case is typically phishing attacks that trick users into clicking links or attachments to launch malicious executables. If you’re following the tips Mike Monocello outlined a few months ago, “Keep This Payment Security Checklist Handy,” you’ll avoid a lot of security pitfalls.
- Understand which companies are most at risk. Exploiting the Spectre and Meltdown vulnerabilities requires a motivated and well-funded attacker, so only targets with a potentially significant payoff are considered high risk for this kind of attack. However, as a B2B software developer, that may be the target audience of your software. High-value targets include: prominent businesses, financial institutions, industrial systems and infrastructure and anyone a nation-state might be targeting has reason to be concerned about Meltdown and Spectre.
- Educate Yourself, Educate Your Customers. A recent Wired article stated, “Though many of the most prominent manufacturers and software makers have taken steps to address the issue, countless smaller vendors and developers will inevitably become stragglers—and some may never directly address the flaws in their existing products at all.” Your software may not play a role in the speculative execution process, and therefore it may not be necessary to make any specific security changes to your product. However, make sure your company knows the answer to this question. And if there are any vulnerability concerns, make sure to stay on top of the latest security patches from processor manufacturers as well as cloud providers, so your company can be a leader rather than a laggard in protecting users’ data.
Keep in mind that we’re in the early days following the discovery of a whole new kind of system security vulnerability. You should anticipate that security mitigation advice and best practices will evolve. Your business should expect to do the same.