Tony Proctor, Principal Lecturer in Cyber Security, blogs about the vulnerability in major chipsets.
The vulnerability in major chipsets that has been announced this week is being referred to as Spectre and Meltdown. What is different about this vulnerability is that it has been discovered by targeting the way in which the hardware functions rather than the software (which is the more usual target for hackers). This means that most devices are affected and if exploited, this vulnerability could allow an attacker to read the contents of memory on a device. This could be anything that happens to be in memory at that particular time including password and payment details.
Are we able to provide any straightforward advice? Well, we really are dependent upon the suppliers providing patches and need to apply them when they become available. When applying patches, organisations usually consider any possible negative consequences that might happen as a result of their installation. Some media reports have suggested that devices will be slower as a result of applying the update. This seems rational but we will have to wait and see whether this noticeably affects the performance of our devices.
The National Centre for Cyber Security (NCSC) is saying that currently there do not appear to be any exploits of the vulnerability. But unless this is an extremely difficult vulnerability to exploit we know from experience that it is only a matter of time before someone does. It seems that the vendors have been aware of this vulnerability for some time and we are starting to see updates being made available. Given the latest information, the best advice is the old advice; apply the patch as soon as possible (including any usual testing) and if any of your systems are operated by third parties, now is the time to ask what they are doing?
The University of Wolverhampton provides cyber security threat awareness updates to member organisations through the WARP Network.