Today we saw the latest twist in the Meltdown and Spectre story with Intel formally withdrawing patches –
and the main question is what does this teach us about patching.
The best way of thinking about patches is a bit like a house. The closer the repair is to the foundations the greater the risk to the rest of the building. The closer to the roof – or in computer terms the interface the lower the risk.
Intel’s patches are effectively trying to dig up and relay the foundations of a house – without damaging the remaining structure. This is to say the least high risk – most would say this is unlikely to be complete without causing collateral damage.
This means two of the main paradigms of information security need to be balanced –
- The ongoing availability of systems
- Protection of data and assets from attack
Based on current reporting it would appear the threat to availability posed by the patches exceeds somewhat the threat to data and assets. Though this is potentially a fine balance – there is little news of an active exploit – and much news of issues resulting from the patches.
Though each company should and hopefully will have it’s own risk management strategy – this is maybe one where a deeper look is required.