Meltdown & Spectre – the two flaws in modern CPU’s that allow password and data theft!
This week, news of massive security vulnerabilities affecting every recent model of Intel processor went public, even as developers for almost every major platform frantically rushed to roll out patches. Much more information has now become available about “Meltdown” and “Spectre”, a group of attack methods that malicious entities could use to break into some of the most sensitive inner workings of any device using the affected CPUs.
In 2017, Google’s Project Zero team, in collaboration with researchers at a number of different universities, identified a huge problem with “speculative execution”; one of the techniques employed in modern CPU’s as a way of improving performance.
Essentially, when a processor uses speculative execution, instead of performing tasks strictly sequentially (e.g. Open up Google Chrome, then STOP and wait for the next instruction) it predicts which calculations it might need to do subsequently (e.g. Open Google Chrome & PREPARE to load your favourite website.) It then solves them in advance and in parallel fashion. The result is that the CPU wastes some cycles performing unnecessary calculations, but performs chains of commands much faster than if it waited to process them one after the other.
However, there’s a serious flaw in the way modern processors are hardcoded to use speculative execution—they don’t check permissions correctly and leak information about speculative commands that don’t end up being run. Oops.
As a result, user programs can possibly steal glimpses at protected parts of the kernel memory. That’s memory dedicated to the most essential core components of an operating system and their interactions with system hardware, and it’s supposed to be isolated from user processes at all times to prevent such glimpses from happening. Everything from passwords to stored files could be compromised as a result.
According to a release by the Graz University of Technology, the researchers have identified three potential attack methods, Meltdown and two closely-related vulnerabilities collectively named Spectre.
Who’s at risk?
Since this is a hardware bug, everything running on affected processors is vulnerable including every major OS (Windows, Linux, and macOS), some mobile devices, and cloud computing providers such as Amazon and Google.
Microsoft have prepared a patch for Windows 10 and are working on fixes for Windows 7 and Windows 8.
Apple have supposedly fixed the issue for their Mac product lineup – but haven’t released a statement yet.
What do I need to do?
Update your devices! Find 5 minutes spare out of your day to check for updates, and make sure they’re fully installed. We recommend checking frequently over the next few days as new patches are released that make it much more difficult for hackers to leverage these vulnerabilities.