Two named bugs dropped on January 3rd, both concerning the way in which modern CPUs work. The manner in which the so-called "Meltdown" and "Spectre" vulnerabilities function is beyond the scope of this article, but it is important to note that more than Intel's CPUs are affected.
Unfortunately, the patch for Meltdown results in significant decrease in CPU performance for certain workloads.
'Spectre' is very similar in nature, but there are no patches for this as of yet - and, unfortunately, the way in which it works is such that only individual known attacks can be patched against; unlike 'Meltdown' it is not possible to craft a generic patch to handle this vulnerability.
The only way to properly fix both vulnerabilities is to replace CPU hardware entirely.
Unfortunately, nearly all intel hardware for approximately the past 25 years is affected; AMD hardware and ARM hardware is also vulnerable to Spectre. These problems necessitate complete redesign of existing CPU architectures and the new designs will not be available for several years, in all likelihood.
Mitigation of these issues will be long and involved, and system owners should consider the following aspects:
It is very unlikely that antivirus programs will be able to reliably detect exploits based on these vulnerabilities with any real reliability. Accordingly, though it may be disruptive, it may be necessary [depending on your environment's business needs and the risk you are prepared to accept] to disallow non-plaintext email and attachments.
If your organization can support it, workstation environments with whitelisted programs - environments where only authorized programs can execute - can help defend against these attacks.
Secondly, if your organization has a significant cloud presence - whether full tenancy or a hybrid architecture - a different scope of attack surfaces come into play.
As mentioned above, the major providers have patched for Meltdown. However, as mentioned, no patch exists for Spectre - and no general patch can exist for it.
This has already resulted in decreased performance being noted for some customers of cloud providers, which may result in increased expense due to the need to provision more instances for a given workload.
Certain 'bare metal' providers that can guarantee single tenancy of given machines will be less affected overall, but those who adopt the usual model of massive multitenancy on large machines will see continued problems pertaining to exploitation of Spectre, as any tenant on such a machine may be able to read information pertaining to any other tenant on the same machine.
This may result in compliance questions pertaining to the confidentiality requirements of HIPAA and other, similar compliance regimes.
Mitigation of cloud-side Spectre concerns will require guarantees from providers as to who is a tenant on any particular cloud instance - and extra expense to account for the decreased performance of any particular instance, as well as increased expense for singe-tenancy environments, if guaranteeing against other parties' potential collection of your cloud-hosted assets is a business or compliance requirement.
Thirdly, for environments making use of virtualization - e.g. Hyper-V or esxi - all of the above concerns apply. Each server, and each image running on the server, must be patched against Meltdown; and there is the continued concern of Spectre providing the potential for any resident being potentially able to access resources belonging to any other resident.
The Meltdown and Spectre bugs are severe in nature and of specific, definite concern. Organizations will need to address the specific and pervasive risk of information leakage from these issues, and take specific mitigative measures.