Major bugs Meltdown and Spectre come with cute logos

Major flaw in CPUs around how they process data where revealed this week.

From the off­i­cal news release.

Melt­down and Spec­tre exploit crit­i­cal vul­ner­a­bil­i­ties in mod­ern proces­sors. These hard­ware vul­ner­a­bil­i­ties allow pro­grams to steal data which is cur­rent­ly processed on the com­put­er. While pro­grams are typ­i­cal­ly not per­mit­ted to read data from oth­er pro­grams, a mali­cious pro­gram can exploit Melt­down and Spec­tre to get hold of secrets stored in the mem­o­ry of oth­er run­ning pro­grams. This might include your pass­words stored in a pass­word man­ag­er or brows­er, your per­son­al pho­tos, emails, instant mes­sages and even busi­ness-crit­i­cal documents.

These are pret­ty seri­ous vul­ner­a­bil­i­ties, and soft­ware updates have already been released (or in the pipeline) before the dis­clo­sures hap­pened. Its impor­tant that users upgrade as soon as possible.

What I like about the pub­lic­i­ty are the nice logos that have been devel­oped. I do won­der if these help with get­ting peo­ple to recog­nise vul­ner­a­bil­i­ties (along­side brand­ing them, not just a CVE num­ber) and get­ting peo­ple to update. It cer­tain­ly helps hav­ing a nice image for news reporting.

The Spectre Logo
Look at this guy, the Spec­tre logo. Does­n’t it look cute… Now whats it going to do with that stick.

This seems to be a grow­ing trend. Whilst nam­ing bugs and virus has been going on for years, to try and brand secu­ri­ty vul­ner­a­bil­i­ties and give them graph­ic illus­tra­tive, almost car­toon­ish logos is some­thing quite new.

Heartbleed logo
The Hear­bleed logo, for a secu­ri­ty vul­ner­a­bil­i­ty involv­ing ssl secu­ri­ty leak­ing information.

I like it a lot, I first noticed this with the heart­bleed logo a few years back (2014). I think if it helps to increase aware­ness on tech issues and the need to update and pro­tect your devices, then its a good thing. It’s impor­tant to under­stand that good secu­ri­ty is not just about code, the biggest vul­ner­a­bil­i­ty is the human, and not all humans are tech focused.

Mean time, the tech focus is on updat­ing soft­ware and mit­i­ga­tion (Replac­ing the CPU with one with­out the fault is the only ‘fix’). This is not just on per­son­al com­put­ers, but servers too. Theres going to be a per­for­mance hit, though the sug­ges­tions of 30% only seem to apply for very high loads.

For an expla­na­tion of the vul­ner­a­bil­i­ty, this on the Rasp­ber­ry Pi blog (one of the few devices not effected.

The more trou­bling issue is that Spec­tre can be exploit­ed using Javascript. Mit­i­ga­tions are being released for browsers, mean time there is more infor­ma­tion on what web devel­op­ers can do on the Chrome Devel­op­er Blog.

Leave a Reply