Spectre and Meltdown Vulnerabilities

Updated: 18/01/2018

You may have recently heard about some major computer security/vulnerabilities that have gained a lot of attention in the media. More commonly referred to as "Meltdown" and "Spectre" these are in fact 3 different types of issue - just given some catchy sounding names. They are however fairly serious and affect all kinds of IT equipment/devices - in some cases going back nearly 20 years.

What is Meltdown?

Meltdown is the name given to a problem that primarily exists on Intel processors (which are in the vast majority of computer systems, and certainly almost exclusively those provided by us - just like most IT companies and suppliers that means pretty much everything is impacted save for a few low end Intel processors (the brain of the computer).

The issue with Meltdown is serious because it permits software to access memory from other programmes - and if you have a "virtual" server, potentially data from someone elses virtual server (and vice versa) -this could potentially mean things like a password you've entered into some other web browser or bit of software and so on. It's a difficult issue to fix properly because the flaw is in pretty much every Intel processor made in the last 20 odd years, and can't be fixed at the processor level. In theory Intel could recall and replace every processor made in the last 20 years but clearly that won't happen. The "solution" therefore is that operating system vendors - e.g. the companies/organisations that make & maintain Windows, MacOS and Linux are implementing software "fixes" to enforce the security that should always have been there.

There is however a catch - whilst this fixes the security - or at the very least avoids the problem that still ultimately exists - the technical process that arises is much slower than when done with the proper hardware. For a typical desktop computer, this might not make too much of an impact, even if it does slow things down by a few %. On servers, or heavily used desktops this could be a different matter, and some reports suggest performance drops can reach as much as 30-35% - a huge issue for very busy systems. Further, the patches being released by those operating system vendors might upset existing software (eg prevent it operating properly) which causes further issues. Indeed Anti-Virus software is so badly affected by this change that the software has to be updated and the vendor set a "status" flag in windows to let Microsoft know it can install the updates - without this it does not apply the workarounds/fixes!

What is Spectre

Spectre is the name given to 2 different - but similar - issues that arise because of some innovations and technological solutions to help make our computers and indeed other devices faster. Unlike Meltdown, Spectre affects devices that don't contain Intel chips to varying degrees - as well as Intel, but stretch to other devices such as Tablets, Smartphones, Smart TVs and much more. In simple terms Spectre issues arise because of a feature known as "speculative execution". In simple terms, when you're using a device, the processor tries to "predict" or "speculate" as to what is required next, so it pre-computes some things when it's waiting for further instruction on what to do - then if the prediction is correct it can rapidly respond having already computed something once asked, and if not, it can throw the "speculation" away and do what you asked for.

The problem arises because of a flaw in how this works - and this is also much harder to fix too. A common example of the spectre flaws being exploited would be for a web browser to be able to be tricked into providing username and password information entered into a web page. With this kind of flaw, the potential is that there will be, or certainly could be further exploits not yet discovered using similar techniques, but even harder to protect against.

What can VPW customers do?

For customers who've purchased Computer Hardware from us, we're evaluating and liaising with vendors on what options are out there. In some cases we might need to install some software patches, update anti-virus (if we supply it) or take other action to help you guard against it. Customers with Proactive Desktop/Laptop plans will be contacted first, followed by those with Proactive Server Plans, and then others with an active Committed IT Support plan. Other customers won't receive proactive assistance as those features are not included in our other offerings.

For customers using our Hosted, Virtual and Cloud Services, you won't need to take any action at this time. Where possible we're deploying updates to mitigate or protect against the issues that have been identified, subject to any relevant Hardware or Software vendors providing patches or relevant updates that allow us to do so. We'll continue to proactively monitor our systems to make sure everything is fine. This includes our Agility platform.

Existing customers without a Proactive Plan can upgrade, or choose to pay on an routine basis for assistance this this issue

Not yet a customer, or purchased your own hardware?

If you're not yet a customer, or you have procured your own hardware, you should in the first instance contact the vendor of your equipment and/or operating systems/applications. You could also consider taking one of our Committed IT Support Plans with Proactive Desktop/Laptop and/or Proactive Server Maintenance services

<< Back to the Blog

<<
 

IT Survey & Challenge Quiz!IT Survey & Challenge Quiz!

Are you getting the best out of your IT?

Take the Quiz

Popular VPWSYS Services:

Backup Services - From just £8.00 a month, affordable protection against loss of data
Domain Names - We provide Domain Name services from just £9.37 + VAT
Pre-Paid Support - On the phone and in person, and you're only charged for the time you use.