By now you’ve probably heard the terms ‘Meltdown’ and ‘Spectre’ making their rounds in security, tech, and even mainstream news. But if you’re like the majority of the population, these terms don’t mean much to you, nor are you actively paying attention the unfolding of events.
Let’s start by saying that if you’re reading this article, you’re affected. In fact, if you own a computer, smartphone or tablet made in the last 20 years, you are affected. The ‘Spectre ‘and ‘Meltdown’ vulnerabilities affect almost every computer in the world.
Got your attention now?
Meltdown and Spectre are the names of two serious security flaws that have been found within computer processors. They could allow hackers to steal sensitive data without users knowing, one of them affecting chips made as far back as 1995. The vulnerabilities were discovered last year, but only recently disclosed to the public.
How Do These Exploits Work?
To explain what Meltdown and Spectre are, and how they work, we first have to understand a little bit about how a computer works at the processor level.
The processor, or central processing unit (CPU), is the primary chip in a computer that carries out the instructions of a computer program – in essence, the brain of the computer.
When you command a program to do something, it is the processor that carries out that command, cooperating with the rest of the system to perform the required task. In order to complete the myriad, complex tasks we ask computers to do, they have to be able to “think ahead”, so to speak. This is called ‘speculative execution’. Speculative execution went mainstream between 15 and 20 years ago This is why, theoretically, every CPU made in the last 20 years or so is vulnerable.
Anytime you open Facebook, buy something from Amazon, or check your email, you are prompted to enter passwords, payment information, etc. We gladly enter this information assuming that the data is securely transmitted. While this is true, the catch is that every keystroke has to pass through your computer’s processor before being securely transmitted. What’s important, though, is that your CPU constructs a ‘wall’ between your processor’s tasks and the other applications on your computer, and between your web browser and the other things you’re doing. Or, at least that’s supposed to be what happens. This is where Meltdown and Spectre come in.
According to researchers, Meltdown "basically melts security boundaries which are normally enforced by the hardware." Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and also the secrets of other programs and the operating system.
Spectre, meanwhile, "breaks the isolation between different applications" allowing "an attacker to trick error-free programs, which follow best practices, into leaking their secrets." Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
What processors are affected?
Spectre affects all modern processors, including those designed by Intel, AMD and ARM, but Meltdown is currently thought only to affect Intel chips manufactured since 1995, with the exception of the Itanium and Atom chips made before 2013.
What data is at risk?
Theoretically all sensitive data stored in your computer’s memory is at risk. Banking records, credit cards, financial data, communications, logins, passwords and secret information could all be at risk due to Meltdown.
Spectre can be used to trick normal applications into giving up sensitive data, which potentially means anything processed by an application can be stolen, including passwords and other data.
Am I safe?
The good news is that these vulnerabilities are incredibly difficult to exploit and, so far, there is no known attack involving either vulnerability. As a regular consumer, you are highly unlikely to be targeted due to the difficulty of launching these attacks. The problem is that this bug affects devices used by governments and those designed to protect corporate secrets, banking information, and other vital data. However, there is one vital thing you can do to protect yourself.
How can I protect myself?
Update, update, update!
Meltdown can be mostly mitigated with software patches, and companies, if they haven't already, are rushing to release updates to mitigate possible Meltdown and Spectre exploitations.
Security researcher Matt Tait writes that, at least when it comes to Meltdown, typical computer users can mostly breathe easy. First and foremost, make sure your system is up to date. Download any and all patches for your operating system and browser of choice.
But, because more updates are coming down the pike, you're not done. Be on the lookout for any and all future security releases and make sure to install them immediately. Don't pull the classic "remind me later" bit.
While Meltdown, has an ‘easy’ fix, Spectre is a bit trickier.
"Spectre is harder to exploit than Meltdown, but it is also harder to mitigate," explain the researchers behind the discovery. "However, it is possible to prevent specific known exploits based on Spectre through software patches." Spectre was given its name because it is going to haunt us for some time and could potentially require new processors for a complete fix.
Meltdown and Spectre are largely broader issues that will affect chip manufacturers for years to come. These two bugs have lived in almost every device for the last 20 years without anyone knowing. This begs the question whether there are other critical flaws out there, and how to prevent future vulnerabilities.
Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.