Almost all computers and devices worldwide have been exposed to security flaws that leave them vulnerable to attack. Luckily no information leak has been reported till date, but the bugs that have been discovered could be considered as one of the worst security flaws in the processors.
Below we’ve covered almost all aspects (technical as well as business) of this bug. So lets find out what exactly has happened.
1. What Are The Flaws?
There are two similar security bugs, dubbed as Meltdown and Spectre.
Meltdown: A hardware vulnerability affecting desktop computers, laptops and servers running on Intel processors. It breaks the fundamental isolation between operating system and user applications, allowing the program to access the memory and thus secrets of other programs.
Specifically, Meltdown takes advantage of the side effects of out-of-order execution on today’s chips in order to read arbitrary kernel memory locations. The attack does not rely on any operating system or software vulnerabilities.
Once the device is affected, Meltdown can read memory of other processes or virtual machines in the cloud without any privileges or user permissions, affecting virtually every user of a PC.
Detailed Information: Meltdown
Spectre: It has a wider reach. It affects computers, tablets and smartphones powered by Intel, AMD and ARM. It can break the isolation between different applications, and enable attackers to trick error-free program into leaking their private data.
Spectre exploits the “Speculative Execution” used in almost all modern chips. It tricks the processor into speculatively executing instruction sequences that shouldn’t have executed during correct program execution.
Detailed Information: Spectre Attacks- Exploiting Speculative Execution
Both of them use side channels to extract the data from the accessed memory location. If you compare these two, Spectre is quite harder to exploit than Meltdown, but also harder to mitigate.
2. What Type of Information Is At Risk?
These bugs can leak passwords in a browser or password manager, keystrokes, instant messages, emails, your personal photos and business-critical data.
3. What Systems Are Affected and How Big It Is?
As we’ve mentioned above, Meltdown flaw only applies on Intel processors (not AMD or ARM). Researchers have tested it on CPUs launched as early as 2011. Theoretically, every Intel processor released after 1995 is a target. Intel believes these flaws don’t have potential to modify, corrupt or erase information.
Spectre flaw, on the other hand is much worse, it can harm all devices running on Intel, AMD and ARM processors. Moreover, depending on the design and infrastructure of cloud providers, it could be possible to steal sensitive data from other customers. Services like LXC, Docker and OpenVZ are at risk.
So if you’re curious whether your device is affected by these bugs, we would say, most certainly yes.
4. How to Protect Computers?
All affected companies are working to issue patches as soon as possible. Fortunately, software patches are available for Meltdown. Google, Microsoft and Mozilla are releasing patches for their browsers as a first line of defence.
Here the quick step you can take-
- Update the latest version of Chrome (to be released on 23rd January) and Firefox 57.
- Ensure you have installed KB4056892 for Windows 10.
- Linux users can check out KAISER.
- Check OEM website for firmware update and support information and apply any quickly.
Google says, it has fixed the issues for their Android devices (Nexus and Pixel) with latest security updates.
Researchers are also working to come up with a permanent solution against future exploitation of Spectre. Since it’s not easy to fix, it’s going to haunt us for quite some time.
5. Will The Fix Slow Down Your Device?
Unfortunately, the answer is yes. A few researchers stated that any fix could slow down your device up to 30 percent. However, Intel believes they are just overestimated claims. According to Intel, any performance impact depends on workload; for average computer users the impact should not be significant.
That means, if you use your computer for checking emails and browsing web, you won’t experience any difference.
6. How Tech Industry and Market Reacted?
These are probably one of the worst processor bugs ever discovered, and this is a huge deal for all tech industries. They will need to redesign operating system and tweak processor architecture.
Google stated that it notified the affected firms about the Spectre bug in June 2017, and later informed about the Meltdown bug in July.
In November 2017, Intel CEO Brain Krzanich sold off $24 million worth of stock. BusinessInsider reported he was aware of the chip vulnerability when he sold shares.
These bugs are hitting Intel’s stock hard, while rival AMD’s share is soaring.
Since Spectre and Meltdown uncover very fundamental flaws in how computer processors are structured, there will be a serious impact and rethink about how such technology is developed in the future.
7. Who Reported These Bugs?
Meltdown flaw was discovered and reported by 3 teams – researchers at Cyberus Technology, Graz University of Technology and Google Project Zero.
The same researchers at Google Project Zero and Graz University of Technology discovered and reported Spectre.
8. Official References
The CVE (Common Vulnerabilities and Exposures) is the standard for information security vulnerability and their Names and IDs are listed in MITRE system and in the US National Vulnerability Database.
The official reference to Meltdown is CVE-2017-5754, whereas for Spectre, it’s CVE-2017-5715 and CVE-2017-5753.