Since the announcement of the CPU vulnerabilities that allow Spectre and Meltdown attacks, there has been a lot of FUD (fear, uncertainty and doubt) circulating. For an easier understanding of the issue, we developed a simple FAQ about it.
If you want fuller details on how this vulnerability came to be, works, and what the remediation plan is, check out this blog post.
Q: Is this just another malware?
A: No. This is an actual hardware problem. Malware normally requires someone to do something wrong to become infected (like go to a bad website). This vulnerability is ALREADY in your environment.
Q: It probably doesn’t affect my hardware though, right? I just upgraded.
A: No. This effects almost all Intel, AMD or ARM hardware in the last 22 years, including both things that you should have already upgraded and things that are brand new. In fact, anything new you buy will still be susceptible.
Q: It probably doesn’t affect my hardware though, right? I haven’t upgraded in 7 years.
A: Again, this effects almost all Intel, AMD or ARM hardware in the last 22 years, including both things that you should have already upgraded and things that are brand new. Even anything new will still be susceptible.
Q: This problem has been around for 22 years you say. Why are we suddenly worried about it?
A: Some really smart people have figured out how to exploit a problem that has always been in the system. Now that the cat is out of the bag, it is known it can be exploited with as little as 15 lines of code, which means people will be doing so, and quickly.
Q: I don’t run Windows, therefore I’m fine. This is just another failure of dumb Microsoft.
A: That wasn’t a question, it was an incorrect statement. This is a hardware problem. Linux, Unix, OSX, Windows, Android, iOS, etc. are all susceptible to this problem.
Q: I don’t deal with servers, I’m a (Desktop/Network/Developer/mobile device) admin. I’m in the clear, right?
A: No. Many network and mobile devices run on Intel/AMD/ARM processors and are therefore susceptible to this bug. Desktops are just as vulnerable as servers and can actually give away just as important of data.
Q: How do I find out if one of those providers that I support is susceptible?
Q: Oh no! My vendor isn’t on either of those lists!!! Does that mean I’m stuck vulnerable with no hope of resolution?
A: Not necessarily. Try going directly to the manufacturer. Or, if you don’t want to deal, reach out to your favorite solution provider – like us — and have them help you.
Q: I patched my hardware OR software, therefore I don’t need to patch the other, right?
A: No. You need to patch both hardware and software for this. The Meltdown problem is primarily a hardware problem that should be resolved through a BIOS update. The Spectre problem is a software execution that leverages behavior that cannot be fixed through hardware updates.
Q: Okay, I patched for Meltdown, both BIOS and Windows, so I’m covered, right?
A: Nope. Spectre leverages the way individual different applications behave, and therefore can be exploited many different ways based on different applications. Watch for patches for your applications.
Q: I read something online that said that if I patch for this, my performance will immediately be completely unusable and my environment won’t even work. Is that accurate?
A: While there IS a performance impact of the patches, it depends heavily on what you’re doing whether or not you will be impacted by it. For normal desktop users, it has been shown that the performance impact is just one to three percent in most situations. In other words, something that used to take 100 seconds will now take 101 to 103 seconds. In some extreme situations, such as highly transactional databases (or other seriously IO-intensive workloads), the performance impact could be as much as 30 percent.
Q: Well I’m not going to take that kind of performance hit!
A: Once again, that wasn’t a question. Remember, this bug is so pervasive and so serious, it could expose the contents of your database or files in cleartext to outside parties if you aren’t patched. Is that not more important than it being a little slower?
Q: This is miserable. Can I just stick my head in the sand and act like I never read this?
A: Sadly, no. However, if you don’t want to deal with it, outsource it to your favorite solution provider and make it their problem. If you don’t have one you trust, give us a call at 502-240-0404 or email us at firstname.lastname@example.org.