The year 2018 was barely a few days old when technology news outlets reported ominous news about security flaws going back two decades. The question remains, and relates directly to business strategy, about the recently revealed microchip security flaw: How big is it?
The vulnerabilities revealed that there were two vulnerabilities in Intel chips dating back to the mid-1990s. Exposing these vulnerabilities allows attackers direct access to data stored on the chips – including from password managers, browsers, emails, documents, and photos.
The vulnerabilities, dubbed “Meltdown” and “Spectre,” affects devices and operating systems across platforms, including Windows, Mac, and Linux. Meltdown, which affects Intel chips, provides access not just to the chips themselves but also to the physical memory on any affected machines.
How They Expose Vulnerabilities
The chip flaws were discovered last year by Google’s Project Zero computing security analysis group in partnership with researchers in academia and industry. It was discovered when a Project Zero researcher found passwords, encryption keys, and other sensitive data was accessible in applications where it should have been protected.
Both bugs work on the same fundamental level by focusing on disrupting the isolation of kernel memory (which represents the core of an operating system) from core processes. They operate slightly differently, however.
Meltdown allows attackers access to whatever is in the device’s memory (including files, data, photos, and video) by breaking down security barriers embedded in hardware. Spectre, which affects all chips made in the past 10 years, works by tricking applications into releasing secrets.
Newly exposed flaws allow hackers to access files stored both in memory and applications.
Response and Impact
Tech companies rapidly released patches that were designed to repair the issues. Apple, Linux, and Microsoft all released patches to their operating systems by the second week in January. Cloud services are also affected, promoting major cloud service providers such as Amazon, Google, and Microsoft to issue patches and schedule downtime.
When it comes to impact, there are both short- and long-term implications. The patching work itself did not appear to cause major disruptions to services or functionality.
The long-term impacts are less clear. Daniel Gruss, an information security expert who helped discover the Meltdown hack, told wmd.com that while billions of computers and devices are affected, it will not be easy to pull off an attack.
Intel CEO said that the rapid response by industry has also mitigated the risk. He predicted that 90 percent of chips made in the past five years would be fixed by mid-January.
However, despite the fast response and partnership among industry leaders, Intel may be in trouble. The company makes 98 percent of all chips used in data centers. Customers may be more likely to shift from Intel chips to competitors such as Advanced Micro Devices (AMD), or look for rebates, replacements or financial considerations due to the potential damage from the breach.
New processors are likely to be re-engineered to prevent similar issues in the future. However, the long-term impact and exposure of existing devices, especially those whose users do not download and install the patches, remains to be seen.