There was no slow ease-in to the new year for the IT industry this year. No sooner had we sat down as our desks following the Christmas break, a new security flaw was announced. While this is nothing new these days, this one was a biggie. A problem had been discovered in all Intel chips (and others) that, amongst other things, would allow someone to add maliciously crafted code to a website that can freely try and grab various passwords that a user has entered on other websites.
Why is this problem so serious?
As anyone that has read even a couple of these blogs in the past will know, serious security flaws are found all the time. In fact, the constant stream of issues is such that, even as IT professionals, it's hard to keep up with them all. It just becomes a constant low level noise that you're aware of. You read the headline and the important details, apply whatever updates fix the issue, then move on.
However, the difference between this flaw and nearly all other flaws that are found is that the problem here lies within the hardware itself. In almost all other cases, security problems are found in software. This means there's a problem in the lines of code that power an application. If there's a problem with the code, that means it can be fixed in the code. Therefore, it's just a matter of the developer identifying where the issue lies, removing that vulnerability in the code, then releasing that fix for everyone to install. It's not always quite as simple as that, but that's the general process.
In this case, this approach doesn't work. The problem doesn't lie in lines of code that can be rewritten. It exists in the actual physical chip itself. Therefore, the only proper solution to a hardware problem is to replace the hardware.
This poses a couple of major problems. This affects almost all devices made this century, so the sheer scale of the problem means hardware replacement just isn't feasible. The second major problem here is that even if it were somehow possible to replace the chip in every vulnerable device, there is currently nothing to replace them with. Even the most recent chips have this problem. Fixing this won't be easy either, so it will probably be months until hardware without this flaw exists.
How long have they known?
The chip makers (Intel, AMD etc) and various other 3rd parties (Microsoft, Apple etc) were made aware of this flaw back in June 2017. In the 6 months following this, they worked on ways to mitigate the flaws (and, as covered above, mitigation is the only course of action for now. Fixing it properly isn't currently possible).
The "when" is also significant here for the chip makers. Intel released their latest range of chips at the tail end of 2017. These chips are just as flawed as all those that preceeded it. The process of designing new chips takes months, so the new design will predate them being informed of the flaw. However, that wouldn't have prevented them from calling off the launch, and yet they went ahead with it anyway. Unsurprisingly, there are now a number of lawsuits being filed for knowingly supplying defective products, amongst other alledged issues.
As it happened, the flaw was coincidentally revealed by an IT website 2 weeks before the companies intended to announce it. This is why there was a mad scramble at the beginning of January to release and apply updates and patches in a very short space of time.
What can be done?
So if the problem can't be fixed properly, why the rush to update? While software cannot be used to fully fix the problem, it can be used to try and work round it. The first attempts at this are what was made available after the reveal in early January this year.
One thing to note here, while we've been referring to a "problem" above, it's actually "problems". There were two critical flaws announced at the same time. One was dubbed "Meltdown", and the other was codenamed "Spectre".
We won't get into the specifics of these flaws here. We only mention the fact that there's two flaws because the updates made available basically "fix" the first flaw (Meltdown). It can cause the machine / device to slow down significantly (depending on exactly what it's used for), but given the severity of the flaw, not installing the fixes aren't really an option, so it's just a matter of installing them and then forgetting about it.
Spectre, however, is a different matter. Fixes have been put in place that begin to try and mitigate against this flaw, but it is unlikely to be foolproof. Now that this flaw is known, coupled with the fact that it affects pretty much every device, this makes it a huge target for those that want to attack machines. Again, as these attacks are discovered, patches can be released to block that line of attack, but it'll be a constant game of whack-a-mole until the problem is fixed properly at the hardware level. This also means that everyone needs to have bought new hardware that includes these fixes, so we are probably looking at least a decade until all the devices that are being used currently have stopped being used. That means it's worth the attackers pouring huge amounts of resources into finding ways round any patches that are created, as the potential returns on exploiting this flaw will be huge.
For now then, all we can do is to continue to make sure our machines are kept up to date and hope that the operating system and browser manufacturers manage to stay one step ahead of those that will be constantly trying to exploit this flaw. And then when Intel et al have produced new chips without the flaw, as one final kick in the teeth, we will all need to buy new chips / devices from the very companies that have caused the problem in the first place... Or we could all just chuck our devices in the sea and start faxing each other again!