Meltdown and Spectre
January had barely appeared when headlines blared about two newly-discovered computer security flaws: Meltdown and Spectre. Computer processor manufacturers and IT security folks have been scrambling ever since—and will be for awhile. But in the wake of seemingly endless updates (especially for Windows machines) and the profusion of hacker stories, end users may be getting jaded.
It's dangerous because Meltdown and Spectre are dangerous. They affect computers, tablets and smartphones—Windows, Mac, iOS, Android—and even cloud computing. Basically, they affect nearly all computers built in the last 20 years. These flaws are built-in to the design of nearly all Intel, AMD, and ARM processor chips. They could allow a hacker to access the kernel, the deepest core where the computer stores its most secret documents, passwords, and encrypted keys.
We've pulled together the most important information about these monsters so we can tell you just what you need to know and what you need to do.
The Good, the Bad, and The Ugly about Meltdown and Spectre
Both Meltdown and Spectre take advantage of a process called "speculative execution." Speculative execution speeds up computer performance by handling multiple instructions simultaneously. It also rearranges the order of those instructions, predicting which path a user is most likely to take. Both Meltdown and Spectre exploit speculative execution to access privileged information, including the most sensitive information stored in the computer's kernel.
Meltdown is the easiest vulnerability to exploit. It breaks through the isolation between user applications and the operating system, allowing an invasive app to access the secrets of the kernel, the operating system, and other programs. If you work with any sensitive information before you have protected your system against Meltdown, you run the risk of leaking that data.
Thankfully, Meltdown is also the easiest beast to take down. Windows and Apple have already released software updates to mitigate the vulnerability. More may follow.
Spectre is more complicated. Like Meltdown, Spectre breaks through the isolation between programs. Two factors make Spectre more difficult to combat:
- Spectre actually exploits the safety checks within programs. These protections actually increase the attack surface, making the application even more vulnerable to attack by Spectre.
- The Spectre vulnerability has two variants. The first variant can be mitigated using software and operating system patches. The second variant, though, will require BIOS or firmware updates.
Some Original Equipment Manufacturers (OEMs) have already released—and in some cases, recalled—BIOS updates after realizing they caused problems like random reboots and screen blackouts. Addressing the vulnerabilities of Spectre's second variant will not be a quick fix. And since the newest processor chips awaiting shipment contain the same design flaws, and redesign will likely be a lengthy process—perhaps as long as two years—Spectre, at least, will be a long-term problem.
The Good and Bad News About Meltdown and Spectre
The good news is that the most exploitable of these vulnerabilities can be fixed. The bad news is that it comes with a price: performance. Making speculative execution more secure also limits its ability to speed up computer applications. Intel claims that performance slowdowns "for the average computer user, should not be significant and will be mitigated over time." Right now, though, users have recorded performance slowdowns of between 1-45%! No doubt, chip manufacturers will be under pressure to restore not only security but also performance.
More good news is that as far as we know, nobody has exploited these vulnerabilities. Yet. Of course, now that they are public, it's only a matter of time. So you need to be proactive about protecting your system and your data.
The good news is that you CAN.
It will take a little bit of work—more than usual. But you can do it. And you MUST.
What To Do about Meltdown and Spectre
- Make sure your system is set to auto-install operating system and trusted software updates. That's aggravating—I know. My most recent Windows update took over an hour! One of my frustrated friends recently posted on Facebook, "Anyone have a magic way to put a stop to Windows 10 updates?" Several people, including me, cautioned her, but someone actually told her how. Bad, bad, bad idea. Suck it up and deal with the updates. (And by the way, Macs require updates too.)
- Download and install updates or programs only from original, reliable sources. Never download from second party sources. At the least, you'll get spam, and at worst, viruses that could include Meltdown and Spectre. Now that they're public, hackers will be chomping at the bit.
- Check your system for vulnerability. Steve Gibson of Gibson Research Corporation has released an easy tool that checks your computer for vulnerability to Meltdown and Spectre. Download and run the application, and in about 10 seconds, you'll have a clear picture of your computer's vulnerability and expert advice about what to do next.
- Download the latest releases of your web browser(s) and keep browser versions current.
- Go to your device manufacturer's homepage and search for statements regarding Meltdown and Spectre. You should find announcements about the status of BIOS/firmware updates.
- Check your webhost's site for information about their protections against Meltdown and Spectre. These vulnerabilities affect cloud and shared hosting systems. By breaking down isolations, one user's app could gain access to another user's privileged data. Cloud hosting sites such as Amazon have installed protections against Meltdown and Spectre, but they also recommend client-side actions you need to take. Consult with your web developers if you need help.
We're here to protect our clients in every way possible.
We stay current on security developments to make sure your important data is protected.
Stay current on Meltdown and Spectre by reading updates on our Facebook page.