So, 2018 has really kicked off with a bang! If you use a computer, tablet, phone, etc (hint, if you think you’re not then how are you reading this page 😉 )… then you really need to be aware of one of the latest vulnerabilities … and, I would argue, one of the most significant the IT industry has faced to date!
What is Meltdown/Spectre?
For a rather interesting variety of reasons, I’m actually not going to cover the detail of what these vulnerabilities are, what they affect, or how they work. These have been well documented in many different locations, and you only need to Google™ the two names to find out more (or, you could use one of the reference links below!).
What should I do?
A purely personal perspective … would be to:
- Patch in a non-production environment
- Test again
- Then, carefully promote to production, having taken into account a risk-based approach
That patching is required is well documented, and clear. What is also clear is that there is an evolving set of patches from many different vendors. Before applying any patches, understand what is needed, understand what they do, verify that you have the latest information available. And please … test!
Did someone say “performance”?
There is a lot of ahem “speculation” about whether implementing the various mitigation patches will affect the performance of a system/device. Without offering an opinion either way, I did find the following article from Olaf Kirch, Distinguished Engineer and VP of Engineering at SUSE, very interesting. In this article, he explains why it is so difficult to predict the performance impact of these mitigations and why the only real answer is to do your own benchmarks.