Meltdown & Spectre

Meltdown & Spectre – the two flaws in modern CPU’s that allow password and data theft!

This week, news of massive security vulnerabilities affecting every recent model of Intel processor went public, even as developers for almost every major platform frantically rushed to roll out patches. Much more information has now become available about “Meltdown” and “Spectre”, a group of attack methods that malicious entities could use to break into some of the most sensitive inner workings of any device using the affected CPUs.

This image has an empty alt attribute; its file name is ezgif-3-ed9f0f276d-1.gif

In 2017, Google’s Project Zero team, in collaboration with researchers at a number of different universities, identified a huge problem with “speculative execution”; one of the techniques employed in modern CPU’s as a way of improving performance.

Essentially, when a processor uses speculative execution, instead of performing tasks strictly sequentially (e.g. Open up Google Chrome, then STOP and wait for the next instruction) it predicts which calculations it might need to do subsequently (e.g. Open Google Chrome & PREPARE to load your favourite website.) It then solves them in advance and in parallel fashion. The result is that the CPU wastes some cycles performing unnecessary calculations, but performs chains of commands much faster than if it waited to process them one after the other.

This image has an empty alt attribute; its file name is giphy-1.gif

However, there’s a serious flaw in the way modern processors are hardcoded to use speculative execution—they don’t check permissions correctly and leak information about speculative commands that don’t end up being run. Oops.

As a result, user programs can possibly steal glimpses at protected parts of the kernel memory. That’s memory dedicated to the most essential core components of an operating system and their interactions with system hardware, and it’s supposed to be isolated from user processes at all times to prevent such glimpses from happening. Everything from passwords to stored files could be compromised as a result.

According to a release by the Graz University of Technology, the researchers have identified three potential attack methods, Meltdown and two closely-related vulnerabilities collectively named Spectre.

Who’s at risk?

Since this is a hardware bug, everything running on affected processors is vulnerable including every major OS (Windows, Linux, and macOS), some mobile devices, and cloud computing providers such as Amazon and Google.

Microsoft have prepared a patch for Windows 10 and are working on fixes for Windows 7 and Windows 8.

Apple have supposedly fixed the issue for their Mac product lineup – but haven’t released a statement yet.

What do I need to do?

Update your devices! Find 5 minutes spare out of your day to check for updates, and make sure they’re fully installed. We recommend checking frequently over the next few days as new patches are released that make it much more difficult for hackers to leverage these vulnerabilities.

About Provident

From ad-hoc technical support through to fully managed IT support, the Provident IT team can be your own internal IT department – but with more resources and lower costs. We work with businesses of all sizes and in all kinds of different capacities, with a proven track record for improving productivity, increasing security and reducing IT spend for our clients.

Recent Posts

Windows 11 Leak

We got an early look at Windows 11

There has been a lot of stir in the IT sphere lately about what Microsoft’s plans were for the future of it’s extremely popular Windows 10 operating system, Microsoft themselves said back in 2015 that this would be ‘the last major version of Windows’, with only continuous background updates to follow. However, as we’ve just discovered – it looks like they changed their mind.

Read More