Juha Saarinen: A new year, a new monster security threat

Tech blogger for nzherald.co.nz.·NZ Herald·

9 Jan, 2018 04:00 PM3 mins to read

I wouldn't be surprised if computer buyers stand back until the chip makers have solved the problem. Photo / 123RF

Sadly, the world doesn't stop when we go off on summer holiday. This year was no different, and just after the New Year, several security experts published research that detailed two serious security vulnerabilities affecting the inner sanctum of millions of computers, the central processing unit chips.

That's a nightmare scenario, because the flaws - named Meltdown and Spectre (because vulnerabilities have cool names nowadays) - are due to how the chips are designed, and you can't fix it with an update.

The research is clever stuff, so much so that not even the hackers at the United States National Security Agency had thought of it before.

Since Meltdown, the vulnerability that's the most practical for attackers to exploit, goes back to processor designs since the mid-90s, just about every active computer in the world is potentially at risk.

By computers I mean almost everything, from PCs to Macs, to smartphones to the routers that forward data packets on the internet to you, and cloud servers. No wonder IT professionals hope Meltdown and Spectre will be difficult to exploit for attackers because if not we're going to be in massive trouble.

Preventing Meltdown and Spectre attacks involves a software update that changes how a specific processor feature is used. There's no way to fix the flaw in the processor itself, and the update can be problematic for certain antivirus software and stop computers from starting up.

Also, the processor feature in question is used to speed up how instructions are handled. With the update applied, your computer could perform certain tasks much slower than in the past.

The only solution seems to be to replace the hardware with new gear that isn't available yet, and which will be costly and slow to do.

Computer users are angry at being caught between a rock and a hard place like this, and chip makers face being hauled in front of the courts because of it.

What's clear is that chip makers will need to come up with a new design that not only fixes the Meltdown and Spectre flaws, but adds protection and the ability to update against future issues that are yet to be detected - perhaps through the complete isolation of potentially vulnerable hardware with an updateable software layer above it.

That's a monumental task but a necessary one because computers are everywhere and it's simply not possible to replace all the vulnerable ones in a timely fashion.

Intel, AMD and the ARM processor design house will be sweating it out trying to devise a solution, and I wouldn't be surprised if computer buyers stand back until the chip makers have solved the problem.

Meltdown and Spectre could be the worst computer bugs ever for that reason.