Listen To The Story

There's news security researchers have been scrambling for months to fix flaws in the microprocessors inside almost all the computers in the world. What's more, there are apparently two of these vulnerabilities. No. 1 is called Meltdown, and it affects many generations of Intel processors. It's a software issue. No. 2 is called Spectre, and it's how most computers are wired, not just software, but hardware, that could be exploited by hackers. From remote big computers in the cloud to some smartphones, what is private could be seen.

Jeff Pollard, principal analyst for security and risk at Forrester Research, joined us to discuss whether hackers have exploited these vulnerabilities. We started with remedies for Meltdown. Below is an edited transcript of the conversation.

Jeff Pollard: It appears that the patch is, for the most part, ready. I think the major thing that enterprise organizations as well as users have to understand is when you look at, like, cloud computing for example, AWS and Azure are prepared to release maintenance windows and patches for these. But that's just for the underlying infrastructure that your systems might reside on. If you're in an enterprise organization that uses cloud, your systems are still not patched. You'll still have to deploy those separately.

David Brancaccio: AWS is the Amazon cloud service, and Azure is another big one. 

Pollard: Azure is Microsoft's version — absolutely right. 

Brancaccio: We've been talking about Meltdown here. There's also Spectre, and for that we have a basic architecture issue. I mean, I don't have a soldering iron that small to be able to get into those chips to fix anything.

Pollard: And here's the thing: When you look at this issue, Spectre, we now know from Intel's release and information about this that it affects around a decade's worth of chips. Spectre really seems to be something, frankly, that is an architectural flaw in any what they call it x86 instruction set CPU, which is the dominant instruction set that most of us work on top of when we use our computers. The problem there is that the time that it takes to design a new processor and then fab itmanufacture it, release it out to markets. That's a decade. That's a five- to 10-year process for chip designers and chip manufacturers. This is an engineering and architectural issue that's going to be around for a very long time.

Brancaccio: It seems hard to overstate the significance here. I guess one mitigating factor is we're not sure that these vulnerabilities have actually been exploited. Maybe it's pretty hard to use these to get in.

Pollard: We do know that exploitation is absolutely possible. Proof of concept code by security researchers — good guys — has been posted. What we don't have evidence of yet is that this is being exploited by bad guys. But it took the good guys in this case that we're learning about it yesterday around a day or so to develop and exploit it. That means that motivated threat actors are going to be able to react as quickly as they are, and so we absolutely have to be concerned. And yes, nothing bad yet, but obviously it is something that can be used for offensive purposes. So the time it takes to incorporate these is certainly shrinking, and that's what we have to be concerned about.

“I think the best compliment I can give is not to say how much your programs have taught me (a ton), but how much Marketplace has motivated me to go out and teach myself.” – Michael in Arlington, VA

As a nonprofit news organization, what matters to us is the same thing that matters to you: being a source for trustworthy, independent news that makes people smarter about business and the economy. So if Marketplace has helped you understand the economy better, make more informed financial decisions or just encouraged you to think differently, we’re asking you to give a little something back.

Become a Marketplace Investor today – in whatever amount is right for you – and keep public service journalism strong. We’re grateful for your support.

Follow David Brancaccio at @DavidBrancaccio