All about Spectre and Meltdown, the security bugs setting the tech world on fire

4 Jan 2018

Image: Iammotos/Shutterstock

The tech world is in ‘Meltdown’ as ‘Spectre’ of CPU security flaw extends beyond Intel chips to AMD and ARM chips, too.

Insiders in the tech world are believed to have known for months about the security flaws that exist on not only Intel chips, but those made by AMD and ARM as well.

Yesterday (3 January), we reported that Intel processors made in the last decade may have a fundamental design flaw that affects the security of Windows and Linux-based systems.

‘The very real fear is that attackers could exploit the flaw on vulnerable systems to gain access to parts of the computer’s memory, which may be storing sensitive information. Think passwords, private keys, credit card data’

The bug allows normal user programs to view some of the contents of the processor’s kernel memory, which should be well protected.

The bugs known as Spectre and Meltdown, which affect nearly all computers worldwide, leave PCs and phones vulnerable to attacks by hackers.

So far, no breaches have been reported but the fear is that privately stored data in computers and networks could potentially be hacked.

What is Meltdown?

The Meltdown bug concerns laptops, desktop computers and internet servers that have Intel chips.

It breaks down the most fundamental isolation between user applications and the operating system. The attack therefore allows a program to access the memory and other secrets of programs and the operating system.

It affects both personal computers and cloud infrastructure. Software giants such as Microsoft and the Linux Foundation have rushed to issue patches to fix the vulnerability. At the time of writing, Apple has yet to comment publicly on the matter.

What is Spectre?

Spectre is a bug that breaks the isolation between different applications.

This potentially allows hackers to ‘trick’ error-free programs that normally follow best practices into ‘leaking’ their secrets. By trying to do the right thing following best practices, applications only end up increasing the attack surface, making more applications vulnerable.

Researchers warn that Spectre is harder to exploit than Meltdown but is also harder to mitigate.

Just what can hackers do if they exploit Meltdown and Spectre?

Last year, Google’s Project Zero team discovered serious flaws caused by a technique that is used by CPUs to optimise performance.

According to Project Zero researcher Jann Horn, malicious code could be used for “speculative execution” to read system memory that should otherwise be inaccessible.

“For example, an unauthorised party may read sensitive information in the system’s memory, such as passwords, encryption keys or sensitive information open in applications,” Google said.

So, how long has the industry known about the vulnerability?

The general consensus is months, and that the tech industry was working on a coordinated plan to disclose the bugs and resolve the problems (if they can be resolved).

Google said that as soon as it discovered the bugs, it patched its systems and warned other software and hardware companies. It said it was motivated to publish its findings before an originally “coordinated disclosure date” of 9 January because the news of the vulnerabilities had gone public, raising the risk of hackers exploiting the bugs in the CPUs.

How big is the risk?

As Google rightly surmised, once the vulnerabilities went public, all systems became exposed to risk as hackers are now alert to the problem and could release malware and viruses to exploit the bugs, impacting big businesses but also unsuspecting consumers.

IDC estimated that there are 1.5bn PCs in use around the world today, out of which 90pc are powered by Intel processors.

So, if you include ARM and AMD processors in the mix, pretty much every personal computing device, mobile and cloud server in the world is potentially vulnerable.

“The very real fear is that attackers could exploit the flaw on vulnerable systems to gain access to parts of the computer’s memory, which may be storing sensitive information,” said expert security researcher Graham Cluley. “Think passwords, private keys, credit card data.

“Intel isn’t able to push out a firmware update to its chip. That means operating systems like Microsoft Windows, Linux and Apple macOS, which relied upon Intel’s hardware to provide some of these essential security services, will have to push out their own low-level updates to do the job that they were previously relying upon Intel to do.

“Meanwhile cloud services like Amazon EC2, Microsoft Azure and Google Compute Engine are are also likely to be at risk and will need to be updated.”

What can you do?

Very little, just keep yourself and your computers and phones as up to date as possible.

No doubt IT professionals in the business world will be patching their systems based on advice from security companies and service providers.

As individuals, pay close attention to ‘system updates’ from Windows, macOS or Linux, as well as keeping your antivirus software up to date. Microsoft issued a security update yesterday and, generally, Windows 10 will automatically download necessary security updates and install them for you.

Google said that all products have been updated but that a new security update, dated 5 January, will be released. All new Android phones released in the last year or so should prompt users to an update they will need to download in the next day or so.

A new version of Google Chrome on 23 January should also come with mitigations to protect your desktop and phone from web-based attacks.

Because Apple products such as Macs, iPhones and iPads use a panoply of processors – from Intel to ARM, as well as Apple’s own processors – the situation is worrying, and Apple is understood to be working with other tech giants under a mutually agreed embargo.

Updated, 9.48am, 4 January 2018: This article was updated clarify that at the time of writing, Apple has yet to comment on updates to tackle vulnerabilities posed by the Spectre and Meltdown revelations.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years