Menu
      

News

Chuck Fields
/ Categories: Blog

Meltdown and Spectre Bugs Explained

Meltdown and Spectre vulnerabilities

Let’s take a look at Meltdown and Spectre, the bugs all over the news lately that can affect nearly every computer and device made in the last 20 years.  Yes—nearly every computer and device including Apple and Windows, from your personal computer and phone as well as those devices in the cloud and data centers around the world. These were actually discovered last year in June 2017 and both work by exploiting critical vulnerabilities in modern processors. These allow programs to steal data, such as passwords stored in a password manager or browser, as well as photos, emails and documents.

Meltdown & Spectre have hit the news recently as device manufacturers and software organizations are beginning to roll out updates to help keep everyone safe. In this article I’m going to explain what these are and what you can do to help mitigate their effects for yourself and your organization:

 

  1. Meltdown Explained
  2. Spectre Explained
  3. How to protect yourself

 

  1. What is Meltdown?

Meltdown is the vulnerability that basically melts down security boundaries in hardware. According to https://meltdownattack.com, Meltdown was discovered by three teams: Google Project Zero, Cyberus Technology and the Graz University of Technology. Paul Miller of theVerge.com offers this helpful analogy at https://www.theverge.com/2018/1/6/16854668/meltdown-spectre-hack-explained-bank-heist-analogy: The goal here is to rob a bank, where inside the bank vault is a piece of paper with someone’s password on it. Of course there’s a security guard who won’t let anyone look at that piece of paper except for the owner. 

Okay, so it seems like the password is well protected. But that bank is about to experience a Meltdown.

You lead a team of unlimited secret agents to help carry out an attack. You send an agent into the bank and they try to get into the vault before getting caught. You have them wear a microphone so you can hear everything they say. You keep sending in agent after agent until you get the information you need. Since there’s an unlimited number of agents so you just keep trying until one succeeds.  Finally an agent gets into the vault and is able to look at the piece of paper with the password on it. They whisper the password into the microphone just before the guard can stop them. Now you know the password and can use it as needed to gain access to their accounts.

That’s how meltdown works on a computer or device. The attacker has code that looks at memory that should be restricted. The computer processor throws an exception and the CPU cleans everything up, erasing any evidence of the crime. But the attacks keep coming, and while the CPU is doing cleanup, it’s also executing other code out of order. This is what leaks the password. The out of order code is what transmits the restricted information while the CPU is busy.

What does Meltdown effect? It’s thought the Meltdown only affects Intel chips manufactured since 1993, with the exception of Atom and Itanium chips made before 2013. But Spectre, the other vulnerability bug, affects all modern processors, including Intel, AMD and ARM.

For more information about Meltdown visit: https://meltdownattack.com/meltdown.pdf

 

  1. What is Spectre?

Like Meltdown, Spectre uses attacks to steal information from the accessed memory location. However, Spectre works by tricking programs into leaking their secrets. Almost every system is affected by Spectre, including desktops, laptops, cloud servers and smartphones.

Spectre gets its name from the root cause, which is called “Speculative Execution”. That’s an optimization technique where a computer system performs a task that might not actually be needed. In fact, a processor actually makes a prediction as to the path that a program will follow, and then speculatively execute instructions along this predicted path. These predictions actually improve performance. However, Spectre works by exploiting the predictions process—mis-training the processor to make it predict wrongly and execute.  So in essence, Spectre works by tricking programs into leaking their secrets.

For more information about Spectre visit: https://spectreattack.com/spectre.pdf

 

  1. How to protect yourself

Since the Meltdown and Spectre vulnerabilities were discovered several months ago, companies like Apple and Microsoft, as well as processor manufacturers such as Intel and AMD, have been working on updates and patches that can protect you. Cloud service providers, such as Amazon, have been working hard to update their servers as well.

Note that many of the fixes are still on the way and could take months. Also, the fix for Meltdown will actually slow down Intel processors anywhere from 5 to 30 percent. No it’s not a ploy to get you to upgrade your hardware, it’s just the price we all will have to pay to ensure greater security. The fix for Spectre might be even further away since the fundamental way that current processors work is being affected. 

Above all else, you need to update your computers and devices immediately. So make sure you and your team are up-to-date with the latest releases now, and keep checking to make certain you stay up to date as new releases come out.

 

Who am I?

I’m Chuck, the founder of SpaceTech Software. I’ve been developing custom web applications for more than 15 years. Before that I was a marketing director helping businesses both nationally and internationally. I fell in love with web technology in 1997, and transitioned to full time development as a Microsoft programmer. Now I work with companies to streamline business processes, reduce transaction fees and eliminate bottlenecks so that businesses can stop wasting time and get things done faster and more efficiently.

Previous Article Is it time to revamp or rewrite your website?
Next Article The Apple iPhone revolution, from the original iPhone through SlowPhoneGate & SmartPhone Rehab
Print
410 Rate this article:
5.0

x