By Tom Loftus
By Sara Castellanos and Kim S. Nash
Technology executives say they're working feverishly to assess the potential impact of two widespread hardware vulnerabilities found by cybersecurity experts.
Two bugs, dubbed Spectre and Meltdown, in major computer chips can let attackers read data stored in memory, such as encryption keys and passwords, according to researchers who found the vulnerabilities. With that data, criminals could later penetrate systems.
Ted Ross, chief information officer at the City of Los Angeles, said reports of the hardware flaws have led to a rapid response within the city's cybersecurity, application support and data center divisions.
"(They're) all scrambling to identify scope, vulnerability, risk, and remediation," Mr. Ross said.
The biggest challenge has been reaching out to cloud and on-premise vendors to understand their responses to the vulnerabilities while ensuring there won't be disruptions to digital services as fixes are rolled out, he said. Mr. Ross compared the response to an IT fire drill, but "securing digital assets is always worth the priority," he said.
The security flaws leave modern computing devices, including desktop computers, smartphones and internet servers vulnerable to attack. Technology companies ranging from Intel Corp. to Alphabet Inc.'s Google and Amazon.com Inc. have rushed to explain the nature of the bugs and what they're doing to minimize the threat, including rolling out software fixes.
"Like every CIO and (chief technology officer) on the planet, I am very concerned," said Ashwin Rangan, chief information officer at the Internet Corporation for Assigned Names and Numbers, or ICANN.
The full impact will become evident in the coming days, he said. "Each of us will have to assess the impact on our organization specifically and take actions which are sensible and practical," Mr. Rangan said.
While the security vulnerabilities could allow hackers to access and steal data from devices or servers, there has been no indication so far of reports of any significant breaches related to the flaws.
Still, technology executives are living in an age of "mega-vulnerabilities," with Meltdown and Spectre being the most recent bugs, said Pete Chronis, chief information security officer at Turner Broadcasting.
"A single vulnerability can affect the global tech ecosystem," he said in an email. "Addressing these types of risks is challenging and requires a steady approach that prioritizes ... the riskiest systems first."
He plans to test patches thoroughly before applying them to all systems in order to avoid inadvertently causing glitches from incompatible software.
"Patching too quickly might cause more complicated issues," Mr. Chronis said. "[Keeping] a close eye on issues experienced from others in the tech community is critical."
Technology executives have time to plan fixes because no malicious exploits related to Meltdown and Spectre have been discovered, said Rob Clyde, vice chairman of ISACA, the professional group formerly known as the Information Systems Audit and Control Association.
Companies that conduct large numbers of transactions on servers and other potentially affected systems can test patches before propagating them, he said. "Rather than just blindly applying a patch, they have a cushion of hours or days -- but not months," he said. "It's nearly certain that attackers will start to exploit the vulnerability over time."
Vendors are making patches available to customers and will continue to do so in the coming days, but not everyone will choose to apply patches immediately, said Lydia Leong, vice president and distinguished analyst at Gartner Inc.
Some customers may decide not to patch all systems because the patches might have negative impacts on the performance of some applications, she said. Some patches could slow down computers, security experts have warned.
But customers shouldn't ignore the potential risks, Ms. Leong said. Technology executives should work with software vendors to determine how the patches might impact performance and decide whether that outweighs security risks, she said.
"There's always a chance that you could get caught flat-footed when an exploit goes into the wild," she said.
Steven Rosenbush contributed to this story.