What you need to know about the Meltdown/Spectre flaws

What you need to know about the Meltdown/Spectre flaws

This affects pretty much everyone

Modern CPUs from Intel, AMD, and ARM have been shown to have massive security vulnerabilities that stem from the way processors have been designed over the past decade. 

But even if the regular drumbeat of exploits and security breaches has left you indifferent, there's good reason to pay attention to Meltdown/Spectre, because they can't be fixed with a simple software patch. Instead, they require a complete hardware redesign, so it'll be a while yet before we see a proper fix for the exploits.   

Yes, the interim solution does take the form of patches for operating systems including Windows, macOS, Android, iOS, and Linux, but these haven’t been without problems either. It's quite a mess really, because these patches can actually slowdown your PC, or even cause system instabilities. 

Here’s what you need to know.

 

What is it?

In a nutshell, the exploit allows a process with normal user privileges unauthorized access to the OS’s kernel, which may contain sensitive material such as passwords or encryption keys. 

A kernel is essentially the core of your OS, and it's what manages the operations of your device and the various hardware components like the CPU and memory. It also facilitates how apps and other functions work, and acts as a bridge between programs and your hardware. This means it has full access to your OS and the highest level of permissions. As you can imagine, you wouldn't want anyone poking around in there. 

The flaws have been dubbed Meltdown and Spectre, and the former is technically the more serious one. Still, both are based on the same principle and use speculative execution to break the “fundamental isolation” between apps and the OS in an attempt to obtain data.

Modern CPUs improve performance by using speculative execution to preemptively execute likely code branches. Sometimes, the processor can get ahead of itself and execute the wrong instructions, so it ends up dumping the data and starting over. The problem is that these exploits take advantage of how the data is dumped and could enable attackers to read this data if they have the right malware installed on the system.

The difference is that Meltdown allows malware to gain access to the computer’s kernel, while Spectre filches data from the memory of other programs. Spectre essentially tricks applications into speculatively performing operations that would not otherwise occur, and in this way leaks information to an attacker.

 

Am I affected?

If you own a laptop, smartphone, or other computing devices you bought in the past decade, you’re out of luck. The implications of this are far-reaching, and even massive cloud computing platforms like Amazon Web Services and Google Cloud are not spared.

Users who rent time from these supercomputing clusters could be especially vulnerable, as those running unpatched and unprotected systems could expose themselves to malicious actors sharing their processors.

The exploits also don’t affect all chips equally. Meltdown primarily affects Intel’s chips (because of how aggressively they employ speculative execution), but Spectre can affect Intel, AMD, and ARM processors as well. In addition, there are actually two variants of Spectre – AMD’s chips reportedly have “near zero” risk to one, but they can be susceptible to the other, dubbed Spectre variant 2.

 

What’s the fix?

Basically, update all your stuff.

The entire computing industry is moving quickly to patch the vulnerabilities, so you should install an update if you see one available on your PC, smartphone or tablet (most of the time anyway). This doesn’t just apply to your OS however, and extends to your system’s firmware, web browser, software, and anti-virus as well.

Unfortunately, there's no one-size-fits-all solution for this. Meltdown can be resolved with OS patches, but Spectre requires individual software vendors to update their own apps.

Spectre is also far harder to pin down. It requires a complete redesign of CPU hardware to fix, so even though it's possible to prevent specific known exploits through software patches, Spectre may hang over us for a while yet. 

 

So do the software patches really work?

They do, but there are further caveats attached. Intel released a firmware update for Spectre variant 2, but the “fix” ended up causing problems like reboots and data loss. Ultimately, Intel ended up advising users not to install the available patch until more stable microcode updates were available.

In response, Microsoft released an emergency Windows patch that disabled the flawed Spectre fix, but that took the form of an optional update. Fortunately, Intel has begun rolling out new Spectre patches for its 6th-, 7th-, and 8th-generation CPUs, and these should be a lot more stable. 

It's not all good news however, and it turns out that the patches can result in up to a 30 percent performance hit. That’s because they enforce a new level of virtual isolation between the kernel and processor, so requests between the two have to take an even longer route.

That said, Intel says the extent of the slowdown depends on the workload in question and average PC users should not notice it. How old your PC is appears to matter too, and Microsoft says that users running 6th-, 7th-, and 8th-generation chips and Windows 10 should be relatively unaffected.

And fortunately for gamers, there has been little indication that games will suffer.

 

So… what’s the real solution?

While Meltdown can technically be fixed with software updates, Spectre requires a complete hardware redesign in order to be properly resolved (even if software mitigations do exist). Meltdown is the more talked about problem because Spectre is so much harder to execute, but that doesn’t mean that it can be ignored.

Speculative execution has been an important piece of processor design for over two decades, and it’s responsible for countless performance improvements. Manufacturers will now need to rethink the fundamentals of processor design, and you can be sure that the next generation of chips will be quite different at the hardware level.

The good news is that we may not have to wait that long for a solution. In January, Intel confirmed that silicon-based changes would begin appearing in chips this year.

 

How worried should I be?

Well, there is still no evidence that the vulnerabilities have been successfully exploited by attackers, but that may change now that the details are public. Meltdown also requires malware to be installed on your PC, so you can stay safe by making sure your anti-virus software is updated and having a modicum of good sense while surfing the web (only download software from trusted sources!). 

Having said that, anti-virus testing firm AV-TEST reported 139 code samples that appear to be trying to take advantage of the vulnerabilities. Basically, it looks like attackers are in the early stages of figuring out how to exploit Meltdown/Spectre, so the silicon-based fixes cannot come soon enough. 

But ultimately, it looks like most consumers are going to be okay, assuming they patch their systems.

Android users might be more vulnerable though, because of the notoriously slow pace at which manufacturers push out updates. Google has already put out a patch, and some versions of the Samsung Galaxy S8 and Note 8 have been updated, but chances are that plenty of other Android devices will still remain exposed.