Start your year with a massive security flaw
While New Zealand holidayed in the sun (or torrential rain, depending) the IT world has suffered something of a quake with the discovery that almost all computers (using the widest possible definition of "computer") suffer from not one but two major security flaws that could expose private data to the world.
The vulnerabilities (dubbed Meltdown and Spectre) are inherent in the chipsets produced for Intel, IBM, AMD, Apple, Arm and Qualcomm, suggesting almost all the devices we use on a daily basis, including personal computing devices and many cloud-based services, are at risk.
Intel was the first to confirm the flaws exist in its current product line-up, and bore the brunt of the financial markets' fury with its share price falling and talk of a possible investigation into the CEO's sale of most of his company shares just prior to the announcement.
While software patches for Meltdown are already being released, fixing the problem of Spectre looks likely to involve hardware replacement as well as short-term software solutions. Either way, performance will be impacted on patched machines - most notably in the graphics-intensive worlds of design, video and gaming.
The two flaws are best described by a site hosted at the Graz University of Technology, set up to cover the situation although this explanation is also worth linking to.
Meltdown is described as: "Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system." While Spectre is: "Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets."
The site includes access to more detailed analysis as well for the hard-core security types.
Currently there are no known exploits of either vulnerability, but given the widespread nature of the problem that is unlikely to continue for very long.
New Zealand's newly minted cyber-security agency CERT NZ has been closed for the Christmas break - as of 8 January there doesn't appear to be any notification about either security issue on its website.
You must be logged in in order to post comments. Log In