Meltdown and Spectre

It has been a very scary start of the year. We're only a few days in and world is already falling apart. If you aren't scared already, it is enough to see a demonstration for Meltdown and Spectre exploits to feel very uncomfortable.

I won't go into the details as this dreadful exploit family already has a web page with all the information one could desire to know. If that's not enough, probably every major news outlet has an article or two about it.

In the midst of all this ruckus and panic unfortunately, for most of us, there is nothing to do. Due to the nature of these faults, fix has to be either done in hardware (albeit with some mitigations via microcode update) or in OS kernel of your choice. There is simply nothing application developer can realistically do but wait. Once "big boys" have done their work, there will be a flurry of activity if you need to do some performance testing and that's it. Explicit regression testing will not be needed as you have it automated to run over night anyhow (wink-wink) and the risk of user code breakage is quite low.

If you are dealing with OS maintenance, you will have a bit more work to do. While some patches are already out, more are still expected, and I trust Murphy will ensure that at least some patches will receive patches of their own. If you are dealing with a cloud environment you will have your work multiplied by a factor but that comes with a saving grace of easily automating stuff across many machines. It will be busy but surmountable.

Those of us who also deal with hardware, I pity. Updating firmware is annoying even when there is no pressure. Generally machine has to go down to even think about it. Then you will try to automate it only to find out that 50% of your blades simply didn't "take" the update and vendor coolly advises that "it sometime happens" and that you should proceed with manual installation.

And, of course, these servers haven't had their firmware updated for a while and microcode you want to get will come with bunch of other firmware fixes and changes you don't want to deal with right now. Tough luck - microcode will not be "backported" to your current version. Just hope it doesn't change some obscure default causing issue when machine is finally booted up or that you will need to update your pristine 1.0 to some other version before you can even think about getting the latest.

And please don't think about going home because you'll see BIOS with microcode update ready in the next few days for your home computer too. For example, my Dell has it for a couple of days now. So you will go updating all personal computers only to discover your wife's laptop doesn't boot anymore...

May you live in interesting times, indeed.

Leave a Reply

Your email address will not be published. Required fields are marked *