{"id":11001,"date":"2018-01-04T08:30:13","date_gmt":"2018-01-04T16:30:13","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/04\/news-4772\/"},"modified":"2018-01-04T08:30:13","modified_gmt":"2018-01-04T16:30:13","slug":"news-4772","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/01\/04\/news-4772\/","title":{"rendered":"Apple acts as digital transformation hits panic mode"},"content":{"rendered":"

<\/p>\n

Credit to Author: Jonny Evans| Date: Thu, 04 Jan 2018 08:03:00 -0800<\/strong><\/p>\n

Apple is updating its systems<\/a> against newly revealed Spectre and Meltdown vulnerabilities<\/a>, but it\u2019s not enough to update personal devices \u2013 what about older PCs and the millions of servers that may also be vulnerable to the bug?<\/p>\n

The Spectre and Meltdown bugs are causing lots of distress. Meltdown impacts Intel processors, while Spectre appears to threaten chips from AMD and ARM as well. A good explanation of these vulnerabilities is here<\/a>.<\/p>\n

My over-simplified understanding follows:<\/p>\n

As I understand it, attacks based on these flaws can\u2019t take place across the Internet.<\/p>\n

\u201cIt is important to note that this method is dependent on malware running locally which means it\u2019s imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads,\u201d ARM said.<\/p>\n

In other words, in order to use Meltdown or Spectre to undermine security on a Mac, iPhone or thermostat, the attacker needs to be physically with the target system.<\/p>\n

Big tech got informed of the flaws a few weeks ago.<\/p>\n

Apple has already upgraded Mac security against the flaws and is thought to be preparing another upgrade for its systems. Intel\u2019s CEO courted controversy by selling Intel shares after the company was made aware of the problem last year<\/a>.<\/p>\n

9to5Mac<\/a><\/em> speculates that iPhones 4 \u2013 5 and first, second and third generation iPads may be susceptible, but it\u2019s important to stress that we don\u2019t actually have all the details we need in order to figure out the magnitude of the problem, and its impact on the Mac.<\/p>\n

We have been told the flaws may impact devices as far back as those released in 1995.<\/p>\n

What we don\u2019t know is for how long the existence of the flaws has been known.\u00a0Discovery in the public interest doesn\u2019t necessarily mean these flaws weren\u2019t already known elsewhere.<\/p>\n

The danger of these flaws is that they provide a nice route to undermine security \u2013 and while that\u2019s bad for our personal devices (which do include some older iPhones), it\u2019s really bad for any old and hardly-ever-updated PCs connected to the network.<\/p>\n

While most end users can probably expect to receive software patches to proof their systems against the flaw (eventually), the vulnerability also impacts servers. What are those servers doing?<\/p>\n

They might be:<\/p>\n

In comparison with the widely discussed Heartbleed and Shellshock attacks, Spectre\/Meltdown reflect decades of a deep vulnerability being in existence.<\/p>\n

What makes this really concerning is that most reports claim that these flaws have existed for a long time. This means that if any malicious entity was previously aware of these vulnerabilities they will have been able to access a huge quantity of data, without oversight, regulation, protection, permission or control. No one knows if these flaws have been exploited in this way.<\/p>\n

The other problem is lack of protection for older systems. Those Windows XP systems are still firmly entrenched across enterprise IT. News that Macs, PCs, iPhones and other solutions are vulnerable to these exploits is far from reassuring.<\/p>\n

Sure, we\u2019ll handle the minor inconvenience of a software upgrade \u2013 but what about those older devices? How quickly will SME\u2019s who happen to hold confidential client data update their systems? Will manufacturers even update veteran systems that are still widely used despite being declared end-of-life? What control does anyone who has entrusted their data to a third-party have that the data controller will act swiftly and intelligently to quickly patch their systems? \u00a0What about those iCloud servers? What\u2019s the status of AWS servers?<\/p>\n