Every computer has a central processing unit, or CPU. It’s the main brain that does most of the “thinking” in a digital device. And two new flaws have been discovered that can allow an attacker to grab the data that’s being crunched inside the chip.
The flaws, known as Meltdown and Spectre, together impact most of the computing devices on the planet. Meltdown is a flaw that affects processors made by Intel. The Spectre flaw, the more serious of the two, affects Intel, AMD and ARM processors.
Do you need to be worried? You bet.
While the researchers at Google who discovered the flaw say they have not yet seen any exploits in real life, they have been able to craft proof-of-concept software routines that trigger it. The bottom line is that the information being processed in most of the world’s computers can be accessed by people who are not authorized to do so.
The issue is serious enough that researchers have put together a website devoted to it. MeltdownAttack.com provides plain-English details about Meltdown and Spectre, as well as technical papers for those wanting to dive into nitty-gritty details. The flaws even have their own logos.
“Yes, it’s a big deal,” says Chris Bronk, an assistant professor of computer science at the University of Houston whose focus is security. “Both of them are serious bugs.”
Here’s what the flaws involve, and what you can do about them.
What happens with the Meltdown flaw?
Typically, programs that move information into and out of the processor can’t access what’s known as system memory. But Meltdown breaks down those boundaries, making what’s inside the system memory accessible.
It does so by tricking something called “speculative execution” into giving it up. This is a technique that has been used by processors since 1995 to run commands in advance, speculating what might be needed next in a program. This dramatically speeds up computing — by the time a program says, “Hey, do this for me!” the processor can respond, “Already done, my man!”
An attacker triggering the flaw can then suck all the data being worked — including passwords, credit card numbers, anything.
Fortunately, Meltdown can be prevented by patches in operating system software. More on that in a moment.
What happens with the Spectre flaw?
Spectre is similar, but Bronk says the flaw “deals with more architectural issues in hardware,” and thus is harder to fix. Spectre tricks other programs to access information in system memory, according to the MeltdownAttack.com site.
And because Spectre’s issue is more hardware-based, it’s harder to fix. The Computer Emergency Response Team, the United States’ primary defense against computer attacks, says the only real way to fix Spectre is to replace processors that have the flaw. There are no available software patches.
What devices are affected?
If you own a computer with an Intel-based processor — which is most PCs since 1995 and all Macs since 2006 — then that device is affected by Meltdown. According to what’s known now, devices using AMD and ARM processors are not affected, but it’s not 100 percent certain.
If you own a computer or smartphone that uses an Intel, AMD or ARM processor, those devices are vulnerable to Spectre. That includes most Android phones and tablets, and possibly Apple’s iPhone and iPad. Apple licensed ARM’s chip architecture to build its own chips used in its mobile products, but it’s not clear yet if they are impacted. So far, Apple has been silent on the matter.
How can I protect myself?
Although Meltdown is a processor-based flaw, it can be protected against by patches in operating systems. Microsoft is about to release an update for Windows 7, 8 and 10 with a fix.
Based on code found in the latest version of Apple’s macOS software, High Sierra 10.13.2, Macs are already patched.
Patches have already been released for many versions of Linux. In fact, originally the flaws weren’t supposed to be announced until Thursday, but Linux users spotted updates to that operating system earlier in the week and put two-and-two together.
At the moment, there is no protection against Spectre, but you can take cold comfort in the fact that researchers say an exploit is not easy to do.
In both cases, exploits could come by users being tricked into downloading and running malicious software, something that, sadly, happens all too often. It won’t be long before evildoers turn their attention to both of these flaws. Your best defense, for now, is to make sure you’re up to date on all your software applications and running the most recent version of your operating system.
Wait, what if I have an older system that’s not getting updates?
This is a major issue, particularly among those using older PCs and Android devices.
Microsoft no longer updates Windows XP, the operating system it introduced in 2001, and although it occasionally released emergency security patches for it, one has not been announced for Meltdown. This would be excellent excuse to finally upgrade your operating system or, if you can, get a whole new computer.
Android smartphones and tablets must get their updates from either the device manufacturer or the wireless carrier — and both must sign off on any updates before they are distributed. In addition, there are a lot of older Android phones out there that are no longer getting any updates at all. They could be at risk permanently.
Why are we just finding out about this now?
UH’s Bronk says the current state of the art in security research has made it possible to find flaws we previously missed.
“Our tools for discovering these are much better than they were in 1995,” he said. “And, if you are not looking for it explicitly, you may never find it. The security research community is also a lot bigger than it was back in ‘95.”
The Google researchers first found Meltdown and Spectre back in June and then told chip makers about it. They’ve been scrambling to find a fix ever since. So far, they’ve been only partially successful.
Below you can read the technical papers for both flaws.