The Day Everything Became Less Secure
It’s January 9th here in London. I’m sitting in Heathrow waiting for my flight back to Seattle after spending new year with my South African family in Cape Town. It may be the disorientation one feels during a transcontinental flight, but I have a feeling I can’t shake. It feels as if the Earth has shifted under my feet slightly and as if the basic laws of physics that govern the universe have changed subtly.
That feeling is caused by the Meltdown and Spectre vulnerabilities that were made public on January 3rd, last week. These two vulnerabilities are a new class of vulnerability that comes built into the hardware that we run our operating systems and applications upon.
OS vendors have been working on patches since June of last year when the vulnerabilities were first confidentially disclosed to them, and some major players like Ubuntu, still have not released a fix.
As if having a vulnerability that is hard-wired into unchangeable hardware and which is exploitable by every layer above the hardware is not enough: The fix may incur performance penalties. RedHat has published data for their Linux distribution, for example, that indicates performance impacts may be from 2% to 19% based on their benchmarks.
I’m looking forward to the Ubuntu patches that are scheduled to be released today and their benchmarks. We will be deploying those as soon as possible on non-critical servers at Defiant that are in production and under high load, to gauge their performance impact.
Ubuntu is widely used and you will begin to see hosting companies deploy security patches this week. Tuesday, January 9th was actually the original disclosure date that researchers and developers had agreed upon, both for disclosure and for the release of patches. For reasons I explained last week, the disclosure happened early, but the release date for security patches remained today.
If you run a high traffic website that generates some load on servers, you’re going to want to sit up and take notice of your site performance this week. Your hosting company may do an excellent job of benchmarking any fixes before they deploy them and understanding the performance impact. They may also be running their servers with plenty of headroom for additional load. Or not. So keep an eye on your web server and database performance as the week progresses.
In discovering this vulnerability, Google’s Project Zero and the researchers involved in Meltdown and Spectre have blazed a trail for others to discover similar vulnerabilities in hardware. Expect to see more vulnerabilities in this class emerge during the coming months and years.
While developers and vendors are doing an admirable job of creating patches that prevent these underlying hardware flaws from being exploited, new methods to exploit these flaws may emerge that circumvent security patches. The vulnerability exists in the underlying hardware and until that is fixed, every patch in an operating system or application is really a band-aid. So we may see these vulnerabilities reoccur.
As we start 2018, we find ourselves in a new reality. A new kind of vulnerability has emerged where the underlying problem is not fixable without replacing chips, because it exists in hardware. Vendors at every layer of the OS/Guest/Application/Sandbox stack are scrambling to band-aid the hardware vulnerability. We are going to have to work incredibly hard and smart to find a way to continue to allow strangers to securely run their code on our machines.
Mark Maunder – Defiant Founder & CEO