The aspect of the latest Spectre/Meltdown vulnerability that interests me is not how wide-spread it might be. Not that it is down below the OS level. And while I am thankful I cannot find reports of it being exploited in the wild, not even that is what really interests me (though I am of course on the lookout).
What interests me is how the patches for it are playing out in the industry. Until now, patches went one way: they were released and you installed them or you didn’t (at your own risk). There was the Windows patch to prevent WannaCry and some of those that missed it suffered massive multi-million dollars in losses due to the ransomware attack. Then there was the Struts patch that seems to have been missed on one Equifax site causing a massive breach of personal information. But here’s the thing: they were software patches. Windows and Struts are, after all, software and the patches to fix them were platform agnostic uprades. If you were running Windows or Struts, you needed those patches. And if you didn’t apply them, well the consequences were severe in some cases.
Spectre/Meltdown is different. When you see words like “chipset”, “firmware” and “BIOS”, you know you are at a different level of the machines we all depend on. This was not about Microsoft or Apache, this was about Intel and AMD. Even the descriptions of the exploits were different than those for ransomware and escalation of privilege attacks.
The patches that came out came out quickly and got deployed quickly in many cases and the problems with them got reported just as quickly. As of this writing, February 3rd, the advice on deploying the patches runs the gamut right now from “do so at your own risk” to “we recommend you don’t.”
So now we have two vulnerabilities exposed: the defect in the design of certain chips and the way in which the industry as a whole was not prepared to handle a critical patch that took more than a simple software upgrade to test and deploy.