Meltdown and Spectre Analysis and Current Status
There seems to be a lot of complacent or feel-good news that Meltdown and Spectre will solve themselves or that no worry or care should be taken from users but this couldn’t be further from the truth. In reality while CPU makers say “there are no known cases of exploits” doesn’t do much to allay fears of those in the know. This is because Spectre and Meltdown will not leave any trace or evidence that you’ve been hacked. Although it can be argued that there may be some signs of unauthorized access if that was how access was gained.
However, the nature of Spectre and Meltdown allow for normal authorized users, programs and even scripts on websites to exploit you. This is why it is so scary as there’s really no way to be certain you haven’t been breached.
It’s an issue for everyone because these exploits could impact anything from your bank, transportation/transit, airplanes, nuclear power plants, and basically anything else that relies on computing security since Meltdown and Spectre are a complete breakdown of those barriers. I won’t go into more of the basic details but I did make a quick “take on the issue here“.
The good news
There were patches quickly released for a lot of Linux, Windows and Mac devices. However this doesn’t mean that the users installed the patches or that all users have the ability or access to do so. Take for example physically remote computers, devices and perhaps some that are running headless that may not be easily accessible or that for some reason have patches disabled (this is more common than you’d think in production or mission critical environments).
Then what about old and unsupported versions of operating systems or that old security system, phone, or TV box, or even ATM whose manufacturer may not be around anymore or is just simply not offering support?
It’s the same issue with many common worms and viruses, patches, and fixes may be issued but millions or more are often still affected long after for various reasons.
The bad news
Even if we assume that Google discovered these flaws first, and if we assume they weren’t mandated to be put there via ARM, AMD and Intel what about insiders who know about this back in June or even earlier on? From that point a number of individuals and groups could have compromised or damaged sensitive data and computer systems. There’s still time since a lot of devices and people will not be patched yet.
And to make things worse, the only true way to solve this issue is with a CPU microcode update, which is not simple to deploy especially on embedded devices and any mistake can lead to a bricked device.
These OS patches are just that “patch work”, a hack or work around to mitigate the issue.
Then there’s the question of “we know there are 3 variants or vectors of attack”. What if there are others that are not yet discovered? You can be well equipped and funded organizations/hacking groups are working on this as we speak and they certainly won’t be disclosing it. Until all devices have microcode updates there’s no way to certain we are safe from unknown vectors related to Spector and Meltdown.
What can you do?
Simply look out for the latest updates for your devices/phones/computers and install the update but don’t falsely assume a new update means you are protected unless you’ve read so that “this update fixes the Spectre and Meltdown” issue.