It was only a matter of time before we started naming security vulnerabilities after James Bond movies. If the names selected for the two microprocessor vulnerabilities announced this week—Spectre and Meltdown—haven’t brought fear to hearts of the computer-using public, it can only be because they were overshadowed by weather forecasters’ breaking out the label “bomb cyclone” for this week’s East Coast snowstorm. The vulnerabilities affect almost all of the microprocessors manufactured by Intel, the company that makes the chips used in most personal computers. (For years it was the world’s largest computer chip manufacturer but its chip sales were surpassed by Samsung over the summer. Samsung’s chips are primarily used in mobile devices, however.)
Both Meltdown and Spectre reportedly could allow intruders to steal all of the data stored in the memory of a computer using one of the affected chips, but one is much easier to fix. Meltdown has been addressed with software patches issued by Microsoft and Apple, as well as several browser manufacturers. Spectre, meanwhile, apparently cannot be fixed with a software update. We’ll have to wait for a new generation of computer chips, and personal computers, before it can be addressed.
Hardware fixes are, by nature, much slower and more difficult (and more expensive!) than software fixes since they require all of us to go out and buy new computers rather than just downloading a patch—though convincing people to install updates is a challenge of its own. The fact that we rely on pretty much just one company to manufacture microprocessors for personal computers makes it that much harder, of course.
So that’s the bad news, but there’s also some good news in this story. Spectre and Meltdown were discovered by a group of independent, academic, and industry researchers, including a team at the Graz Technical University in Austria, researcher Paul Kocher, and Google’s Project Zero security team. Happily, their contributions are being celebrated and appreciated even by Intel, despite the fact that none of the researchers works there. That’s not always a given for people working on, or even just writing about, vulnerabilities in other companies’ products.
Just last month, Keeper Security filed a lawsuit against Ars Technica security editor Dan Goodin for publishing an article about vulnerabilities in Keeper’s password management service. In November, researcher Kevin Finisterre discovered a vulnerability in the products of drone manufacturer DJI and reported the issue to the firm. But he said the company later threatened to bring a lawsuit against him under the Computer Fraud and Abuse Act. (No such lawsuit has been filed.) So independent security research is still far from being universally accepted or encouraged by major tech firms. It’s heartening to see Intel embrace it—and it’s an important reminder of the incredible value in having people outside a company test its products and services for security flaws.
It’s also heartening to see how quickly the major cloud computing companies, including Google, Microsoft, and Amazon, patched their systems to protect against the Meltdown vulnerability. One of the stranger things about the media coverage of Specter and Meltdown has been its emphasis on the idea that these vulnerabilities are especially dangerous for cloud computing, in which multiple customers’ data may be stored on the same servers. The New York Times called Meltdown “a particular problem for the cloud computing services run by the likes of Amazon, Google and Microsoft” while The Verge said, “The CPU catastrophe will hit hardest in the cloud,” but in fact cloud services have done more to protect themselves against the newfound flaws than most of the rest of us.
Were those services not immediately patched, it’s true, the vulnerabilities could well have caused major problems. Someone with access to an account on one of their cloud servers could potentially have accessed other customers’ data. But since they were in fact immediately patched, they’re probably one of the safest places to store your data right now if you’re worried about someone exploiting Meltdown. Far from being crisis, Meltdown was a success story of cloud computing—patches rolled out across a handful of huge companies effectively serve to protect the data of millions of customers worldwide.
There’s an understandable inclination in the aftermath of the discovery of a new security vulnerability or data breach to make it out to be as apocalyptically terrible as possible if only so people will read about it. That’s not always a bad instinct, as sometimes it helps draw people’s attention to the problem in productive ways by encouraging them to install patches or change compromised credentials. But there are also happier stories underlying some of these discoveries, and it’s important not to lose sight of those.