Meltdown and Spectre CPU Vulnerabilities: Here’s What You Need to Know

Researchers at Project Zero, Google’s cyber-security arm, have discovered a pair of vulnerabilities in some of the most popular CPUs used in PCs, Macs and handheld devices. The Meltdown and Spectre security flaws have been described by some commentators as some of the “worst ever” security threats, affecting millions of users all over the world.

Computer manufacturers have reacted quickly, however, and there are already fixes available for many devices. The flaws were originally discovered in mid-2017, and Google has been working in private with various firms to release the necessary security fixes. In this article we’ll talk you through what this latest threat means and how you can protect yourself from it.

This pair of security threats, which would make a fine name for an electronica DJ duo, affects most modern computers. Given that they are native to CPU chipsets from Intel, AMD and ARM, there’s a very high chance your PC, Mac, iPhone or Android phone uses a chipset from one of these manufacturers and that you’re affected. Both Spectre and Meltdown affect Intel and ARM chipsets, while only Spectre affects AMD.

These threats lie in a CPU process known as “speculative execution,” which speeds up processes by letting the chip anticipate the next actions a user might take. In other words, it partly carries out processes before they happen, allowing programs to access potentially sensitive information like passwords, encryption keys and bank details without even being opened by the user.

It’s worth noting that for Meltdown to have a chance of affecting you, you need to have a malicious app or program on your computer in the first place. Spectre, on the other hand, is much more difficult to exploit by hackers, but could potentially attack you using malicious JavaScript code on a website. That’s very unlikely, however, and for the most part these aren’t vulnerabilities that can just hit you out of nowhere.

meltdown-spectre-need-to-know-intel-amd

All of the affected chipset manufacturers have already had their say on the issue, and perhaps predictably, AMD and Intel have gone on the defensive, even taking indirect jabs at their rival. ARM, meanwhile, has been a little more neutral, given that it’s in direct competition with the other two directly, dealing mainly in Android and iOS chips. The following is a little bit of what they had to say.

Intel

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices – with many different vendors’ processors and operating systems – are susceptible to these exploits.

AMD

To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.

ARM

This method requires malware running locally and could result in data being accessed from privileged memory. Please note that our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.

meltdown-spectre-need-to-know

When the news was revealed, Microsoft released a hotfix for Windows 7, 8 and 10 that you should install immediately if you haven’t already. It should be an automatic update, so if you go to shut down or restart your PC, it should say “Update and Shut Down” if you haven’t already updated. Do so straight away.

Apple has announced that before the vulnerabilities were revealed, it already released ‘”mitigations” in iOS 11.2, macOS 10.13.2 and tvOS 11.2, while stating that Apple Watch is unaffected. The key word here is “mitigation,” as this issue is too deeply rooted to be easily resolved by these companies. You’ll be better protected, as anti-virus software will be able to detect attacks, but the flaws will still exist. This applies to all devices.

Google has said that the vast majority of Android users are unlikely to be affected by the vulnerabilities, but nonetheless released a patch in December 2017 to all major smartphone manufacturers. As we well know, however, the Android patching process can be slow, so unless you have a Nexus or Pixel phone, you may need to wait a while. In the meantime, be very wary about downloading unfamiliar apps to your phone.

The Ubuntu devs were working on releasing fixes in time for January 9, which was the original date these vulnerabilities were meant to be disclosed. But because they were released early, Ubuntu is now scrambling to get fixes out on time. Keep an eye on the Ubuntu security notices page for updates.

The good news is that there have been no reports of anyone being attacked using these vulnerabilities yet, and for the most part, companies were ready and waiting with the necessary fixes. It’s perhaps hyperbole to call this the “worst ever” security vulnerability, but it is undoubtedly the widest reaching, affecting just about all devices. Mostly the same rules apply, however: keep your device updated, and don’t download dodgy software!

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.