This week, a pair of vulnerabilities broke basic security for practically all computers. That's not an overstatement. Revelations about Meltdown and Spectre have wreaked digital havoc and left a critical mass of confusion in their wake. Not only are they terrifically complex vulnerabilities, the fixes that do exist have come in patchwork fashion. With most computing devices made in the last two decades at risk, it's worth taking stock of how the clean-up efforts are going.

Part of the pandemonium over addressing these vulnerabilities stems from the necessary involvement of multiple players. Processor manufacturers like Intel, AMD, Qualcomm, and ARM are working with the hardware companies that incorporate their chips, as well as the software companies that actually run code on them to add protections. Intel can't single-handedly patch the problem, because third-party companies implement its processors differently across the tech industry. As a result, groups like Microsoft, Apple, Google, Amazon, and the Linux Project have all been interacting and collaborating with researchers and the processor makers to push out fixes.

So how's it going so far? Better, at least, than it seemed at first. The United States Computer Emergency Readiness Team and others initially believed that the only way to protect against Meltdown and Spectre would be total hardware replacement. The vulnerabilities impact fundamental aspects of how mainstream processors manage and silo data, and replacing them with chips that correct these flaws still may be the best bet for high-security environments. In general, though, replacing basically every processor ever simply isn't going to happen. CERT now recommends "apply updates" as the solution for Meltdown and Spectre.

As for those patches, well, some are here. Some are en route. And others may be a long time coming.

"Everybody is saying 'we're not affected' or 'hey, we released patches,' and it has been really confusing," says Archie Agarwal, CEO of the enterprise security firm ThreatModeler. "And in the security community it's hard to tell who is the right person to resolve this and how soon can it be resolved. The impact is pretty big on this one."

Rapid Response

Meltdown, a bug that could allow an attacker to read kernel memory (the protected core of an operating system), impacts Intel and Qualcomm processors, and one type of ARM chip. Intel has released firmware patches for its processors, and has been working with numerous manufacturers, like Apple and HP to distribute them. Intel has also coordinated with operating system developers to distribute software-level mitigations. Patches are already out for recent versions of Windows, Android, macOS, iOS, Chrome OS, and Linux.

'It's hard to tell who is the right person to resolve this and how soon can it be resolved.' Archie Agarwal, ThreatModeler

The other bug, Spectre, involves two known attack strategies so far, and is far more difficult to patch. (And in fact, it may be impossible to defend against it entirely in the long term without updating hardware.) It affects processors from Intel, ARM, AMD, and Qualcomm. Browsers like Chrome, Firefox, and Edge/Internet Explorer all have preliminary Spectre patches, as do some operating systems. But Apple, for example, has said it is still working on its Spectre patches, and hopes to release them within a few days.

"One of the most confusing parts of this whole thing is that there are two vulnerabilities that affect similar things, so it's been challenging just to keep the two separate," says Alex Hamerstone, a penetration tester and compliance expert at the IT security company TrustedSec. "But it's important to patch these because of the type of deep access they give. When people are developing technology or applications they’re not even thinking about this type of access as being a possibility so it’s not something they’re working around—it just wasn't in anybody’s mind."

Cloud providers like Amazon Web Services are working to apply patches to their systems as well, and are grappling with corresponding performance slowdowns; the fixes involve routing data for processing in less efficient ways. Google released a mitigation called Reptoline on Thursday in an attempt to manage performance issues and has already implemented it in Google Cloud Platform.