The security of user data is utmost when it comes to PCs, cloud, mobile and other sorts of computing platforms. But, the recent reports about the two major CPU bugs – Meltdown and Spectre, is making the entire computing industry go berserk over the security of their user data, private information, passwords and anything that can potentially harm their identity.
The security flaws can let adversaries steal critical information like passwords and bank details that could be saved in the processors’ memory designed by Intel, ARM or AMD.
The CPU bugs are reportedly being found to affect nearly every device made in the last 20 years. It was recently discovered by the security researchers of Google’s Project Zero.
What is Meltdown security flaw?
Meltdown security flaw is specific to the Intel processors. Like its name suggests, it melts down security boundaries enforced by the hardware. It is an Intel only security hole that takes advantage of an out-of-order execution flaw and permits access to kernel memory from user space. This means any user who is able to execute any code on the system is having access to computer’s stored information even in the kernel.
What is Spectre?
Spectre CPU bug can affect Intel, ARM and AMD processors. As it works on speculative execution, its named as Spectre. It works by tricking the processors into executing various information that they otherwise should not have been able to. This grants them access to the sensitive and critical information saved in other applications’ memory.
Meltdown Vs Spectre
Meltdown | Spectre | |
Affected Architecture | Intel | Intel, AMD and ARM |
Vulnerability | There must be some code execution on the system | There must be some code execution on the system |
Mode | Privilege escalation vulnerability and speculative execution | Speculative Execution and Branch Prediction |
Effect | Can read user information from the kernel memory space | Can read other users’ programs memory content |
Action | Software patch updates | Software patch updates |
What is the potential impact of the Meltdown and Spectre microprocessor security flaws?
The bug is present in nearly all the modern Intel processors made in the last decade. This specifically includes every processor since 1995 apart from Intel Itanium and Intel Atom prior to 2013. The thing that makes the attack even more widespread is the fact that it is affecting systems at the architecture level.
So, it does not matter whether you use a PC, laptop, mobile or a tablet; or whether your devices run on Windows, Linux, OS X or Android, everything involving software is vulnerable.
Meltdown particularly can affect cloud platforms also where a large number of computers are networked. Cloud providers using Intel CPUs and Xen PV as the virtualization without the application of patches can be affected by the Meltdown. Also, cloud providers without any real hardware virtualization, and depending on containers that use single kernel like LXC, Docker and OpenVZ are also affected.
It also can potentially bypass the hardware link between various user applications and affect their systems too.
Spectre flaw has a wide spread impact and can affect modern processors made by various manufacturers like Intel, AMR and AMD. The good part is hackers could have a hard time taking advantage of Spectre due to its complex mechanism, while conversely this makes it harder to fix also.
The security hole can be used by hackers to exploit other security bugs.
What is the fix to the Meltdown and Spectre bug?
The major companies like Intel, Google, Microsoft and Apple have started finding fix to the bugs already.
Intel recently issued updates to protect systems from this vulnerability. The company said that it is working with its technology partners to deploy the security updates as software patches and firmware updates. Many OS vendors, device manufacturers, cloud service providers have already updated their products and services.
Other technology giants like Microsoft and Apple also had their patches ready to be used by the desktop affected by the meltdown. Linux patches (KPTI – Kernel Page Table Isolation) have also been introduced.
“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.” – said Apple in its blog.
Microsoft recently released an update for Windows 10 and will soon release patches for Windows 7 and Windows 8 also. In case, the users are not able to install the update, Microsoft suggests them to turn off their anti-virus and use Windows Defender.
Browsers like Mozilla Firefox, Google Chrome and Microsoft Edge have updated and scheduled updates to solve the security flaw.
The Android users who are running the latest version of the mobile OS are protected from the bug, according to Google.
How can you protect yourself from Spectre and Meltdown?
The Meltdown flaw is being patched by technology companies like Microsoft and Google.
User can check whether their Windows PC is protected or not by going to Settings >> Update & Security. Check for any security updates.
Mac users need to check whether they run on the latest version or not. They can do so by tapping on the Apple menu button >> About this Mac. If not already updated, download the latest version from the App Store application.
The Spectre bug is more complex to fix.
Summarizing
Both Meltdown and Spectre CPU bugs can be a serious threat to the computer systems worldwide. The fact that they enter through the architecture make systems more vulnerable. However, by keeping a close watch on the bugs and tracking the updates from the technology giants like Google, Amazon, Microsoft, Apple etc. you can try and mitigate the risk of getting affected.
There are several academic papers on Meltdown and Spectre and a Project Zero blog on Google that can help you gain deeper insights on the topic.