Home » In Other News

Meltdown and Spectre Frenzy

Posted 4 Jan 2018 | Comments Off on Meltdown and Spectre Frenzy | 1,344 views

Google’s Project Zero unleashed a news frenzy and a panic in the IT industry with disclosure of the Meltdown and Spectre vulnerabilities. Or did they?

Under Project Zero, a Google funded research team finds zero day exploits and alerts software authors so that they can be fixed before they can be exploited by hackers.  Project Zero doesn’t disclose the vulnerability until the patch is made available. In this particular case, the blog post was dated 3 Jan 2018. They claim that they notified Intel on 1 Jun 2017, which in six months prior to this month’s disclosure.

News of the upcoming kernel release and its performance impact was already being discussed on the PostgreSQL mailing list on the previous day. The Register picked up on this, and matched it up with the coming kernel patch that was announced on the Linux kernel mailing list on 4 Dec 2017. The Register article identifies that the vulnerability is not limited to Linux, and it also impacts Windows and MacOS. One The Register made the other news release, other tech news sites followed suit and released their own stories.

Intel’s initial 3 Jan 2017 response to the frenzy of Meltdown/Spectre news claimed that the problem is not unique to Intel processors. They named “AMD, ARM Holdings and several operating systems vendors”.  Microsoft issued knowledge base articles for the coming patches. Microsoft Azure released a same-day statement describing how the cloud service was addressing the vulnerabilities. As news spread, Microsoft accelerated its efforts to patch its cloud infrastructure, which frustrated some customers attempting to redeploy virtual servers to patched hosts. Customers complained of unscheduled or hung redeployments. VMware also released an advisory on the same day. Other vendors have followed suit.

After reading enough news articles on the Meltdown and Spectre vulnerabilities, it’s possible to put together the puzzle pieces to get a clearer picture of what was coming our way. Patches were well under way.  Unfortunately, The Register beat them to the punch before everyone involved could make their simultaneous coordinated patch announcements.

As with the ShellShock and Heartbleed vulnerabilities, once the news had hit the mainstream media, it was only a matter of time before Meltdown and Spectre received their own logos.

Comments are closed.