Yesterday information began to trickle out about the Meltdown and Spectre vulnerabilities. At ThinkStack we were speculating about the impact. This is the scariest vulnerability to date. But because it was so scary the reaction has largely been a swift reaction. In cases such as this, a vulnerability which spans many systems, the vulnerability is kept quiet for some time while all parties resolve the issue. Publicity on vulnerabilities like this often just allows the bad people an opportunity to exploit it before protections are in place.

The Good News

Intel, AMD, ARM, and all cloud providers were already notified of this issue back in June of 2017. This has allowed them ample time to resolve the vulnerability on their respective platforms.

Cloud Protected Checklist
As of 1/4/2018 all cloud platforms are reporting that they have resolved the vulnerability. Azure and AWS were both completing the final few percentages of affected systems the evening of 1/3/2018.

The Bad News

Microsoft, Android, Linux, and Unix are all pushing out patches to both server and workstation operating systems. This will take some time for those to propagate throughout the ecosystem. It’s very important to apply these patches as soon as possible. It’s important to note that even though the cloud subsystems are protected, the operating systems themselves still have vulnerabilities which are addressed in patches. Our recommendation is to run updates many times throughout the next two weeks. This should occur on all servers and workstations as the vulnerabilities are patched and as bugs are squashed.

The Ugly News

These issues have been in the wild now for many years, in the case of Spectre two decades. Researchers have yet to see a live implementation of the vulnerability, however, that doesn’t mean there haven’t been instances of exploitation. The fixes to ‘Meltdown’ may result in up to a 30% decrease in performance. Since the issue has been patched you’ve already been seeing the performance hit within each of the clouds. Amazon and Microsoft have both stated they have optimized around the issue to minimize the impact.

The technical world will be feeling the impact of this issue for years to come until the physical CPUs are replaced organically.

For further information please see the amazingly well written article at: