Guest blog: Responding to chipset vulnerability issues

Wayne Harris, compliance officer & cyber security expert at ITCS , discusses the impact of the much-publicised chipset vulnerabilities revealed on 3 January.

There has been a flurry of publicity surrounding vulnerabilities identified within the Intel chipset (processors). However this vulnerability also affects other mainstream manufacturers AMD and ARM.  Together, these manufacturers provide the vast majority of processors in use by modern computer manufacturers.

Who is at risk and what is the threat?

The two vulnerabilities which have been revealed, ‘Meltdown’ and ‘Spectre’, affect every modern computer containing one of these processors, i.e. the majority of PCs on the market.

The CPU chipset vulnerabilities are present in most of the processors produced in the last decade, and in certain circumstances,  they allow access to contents of protected memory areas by some applications such as javascript in web browsers.

This will affect PCs throughout the world, not just Wales or the rest of the UK. That said, despite the hype, the threat is currently considered low on the Common Vulnerability Scoring System (CVSS).

What is being done to tackle the risk?

The underlying vulnerability is primarily caused by CPU architecture design choices, so fully removing the vulnerability will require the replacement of the CPU hardware. The true long-term solution will be the replacement of the vulnerable chipsets entirely, but don’t expect a product recall any time soon.

While it may be technically accurate to say a completely redesigned chip is the ultimate solution, large-scale hardware replacements would possibly amount to a needless, over-the-top reaction.

It is unlikely that manufacturers will offer chip replacements. We expect them to instead provide a solution to fix any chipset vulnerabilities with a patch.

Microsoft, Apple and other Operating system vendors have all responded quickly, and they have released (or are working on) solutions which will ‘patch’ these vulnerabilities.

Will I notice any difference when my PC is patched for chip vulnerabilities?

Unfortunately, at present there is a performance cost to this patch solution. Because the solution involves segregating the kernel into a completely different address space, it takes additional time to separate the memory addresses and switch between the two.  The impact on performance will vary – anything from a 5% to 30% reduction in processing speed can be expected.

How are IT providers like ITCS responding?

We have been monitoring the vulnerability since the news broke.  The company has already implemented a roll out of the Microsoft patch update throughout their contracted customers to address these vulnerabilities, and it’s continuing to monitor these installations to ensure customers continue to be protected with up‑to‑date vulnerability patching.

How should businesses respond?

Businesses should also make sure they update their operating systems when prompted. However, this is a timely reminder to make sure that both your physical and cyber security, as well as your provisions for the new GDPR rules, are kept up to date.