Spectre and Meltdown, two flaws in the basic building blocks of billions of computing devices, are haunting the internet.
Researchers revealed the two bombshell bugs on Wednesday that expose individuals and businesses to potential hackers. There are no reports the bugs being exploited, but now companies big and small are scrambling to update their software and devices.
Consumers who use laptops for things like email and Facebook don’t need to do much besides practice basic security hygiene — that is, update their computer, smartphone and apps when updates are made available.
But for businesses, it’s a different story. Fixing the problems is a lot more complex.
These two sophisticated bugs matter especially to enterprises that deal with a lot of network traffic and considerable processing power — things like cloud providers, retailers that process consumer transactions, and medical systems that crunch data.
The flaws affect modern processors including Intel, AMD and ARM that use “speculative execution” to enhance performance. Fixing the problems will slow a computer’s performance, experts say, especially on devices more than five years old.
Intel said “for the average user,” the performance impact on products using the processors from the last five years “should not be significant and will be mitigated over time.”
Companies are rolling out fixes quickly — including Microsoft, Amazon, Apple and Google.
But there will be stumbling blocks: On Thursday, some Microsoft Azure customers reportedly said machines failed to come back online after receiving a patch.
Some patches, including some provided by Microsoft, aren’t available automatically because they can cause programs to crash, and business will need to make sure security tools like anti-virus software is compatible with the update, explained to Dmitri Alperovitch, co-founder and CTO of CrowdStrike. He anticipates most vendors will be compatible by next week.
The Software Engineering Institute, a U.S.-government funded body that researches cybersecurity problems, initially said the only way to fully remove one of the vulnerabilities is to completely replace the affected processor. It later changed its guidance on Thursday to suggest updating software was enough.
The institute didn’t say why it had changed its guidance. It didn’t immediately respond to a request for further information.
Replacing all the affected processors quickly would be impossible: there currently are none available to replace the vulnerable ones with the same kind of functionality.
“The reality is it’s going to take years before new chips are on the market that are able to bring back the functionality in a safe way,” Alperovitch said.
Once the hardware is available for companies to replace the problematic chips, it will be costly.
Updating computing systems in businesses is already time-consuming and expensive, says Wendy Nather, security strategist at Duo Security. Firms often fail to update computer systems in a timely manner, which was one reason last year’s WannaCry ransomware harmed so many businesses.
But distributing and replacing processors will be even more time and cost intensive than software updates, Nather said, so not all machines may get new chips.
“Breaches will happen silently, so if systems are still performing fine, many organizations will not bother patching,” Nather said. “It’s not as if it were ransomware and they were facing threats of downtime.”
Nather also said security executives will prioritize updating machines most vulnerable to attacks, like business-critical systems.
Researchers have already created proof of concept exploits to read passwords or other sensitive data from vulnerable computers. Experts say it’s just a matter of time before malicious attackers begin to exploit the flaws. However, they would require access to the machine before being able to steal information from the computer.
“Yes, this involves millions of systems worldwide, but again it’s not clear how straightforward it is to exploit these flaws just yet, and whether attackers are going to try to use this technique when they could use something much easier,” Nather said.
In other words, some types of phishing campaigns, malware, and spyware could be easier to execute and more effective at stealing information. There is no evidence malicious hackers have exploited the chip flaws, though researchers said it would be difficult for investigators to know for sure.
The tech and business worlds will likely be dealing with these flaws for years to come, but experts in the security community say that while the flaws are an interesting technical find and organizations should patch as soon as possible, it’s still one of countless vulnerabilities.
“In terms of real-world risk, it’s another day in information security,” said Kenneth White, security researcher and co-director of the Open Crypto Audit Project . “It opens up all kinds of interesting new lines of work and a lot of reassessment of fundamental assumptions we’ve made about hardware and security properties. For the average person, it’s just about patching.”