Technology

Here’s What You Need To Know About The Meltdown And Spectre Bugs

By this point many people whose computers contain Intel processors are aware that there’s a serious problem with them, but what does this mean for the average PC user? With most things, there’s good news and bad news, but in the case of the two problems dubbed Meltdown and Spectre, we basically have bad news and less-bad news.

Perhaps the worst news is that more than just Intel-based PCs are at risk from the Meltdown and Spectre vulnerabilities.

meltdown and spectre intel
TheDigitalWay / Pixabay

Intel vulnerabilities called Meltdown and Spectre

The shortest answer for those wondering, “What are Meltdown and Spectre?” is that they are two separate vulnerabilities in most of the Intel processors that have been made within the last ten years. Both are serious problems because they make every device that has the affected chips in them open to being hacked.

The chips inside every device we use are not only responsible for actually processing everything we do. That very function means that they handle data that’s extraordinarily sensitive, including usernames, passwords and all the other building blocks that keep your data and device secure.

Anticipation leaves sensitive data out in the open

The researchers who identified the Meltdown and Spectre vulnerabilities found that the processors could allow hackers access to sensitive information that shouldn’t ever leave the device’s central processing unit, CNET explains. Essentially, hackers are able to sneak a peek at data that the processor makes available briefly outside of itself.

Processors do this in order to speed things up a bit. To run a device faster, processors must be able to anticipate what data the device will need for whatever it’s going to do next. It is this anticipation that allows sensitive information to be available briefly outside the processor, allowing hackers a split second to access that information while it’s in the open, so to speak.

Meltdown is a bit more serious than Spectre because it affects a broader array of devices. Google explains that Meltdown “breaks the most fundamental isolation between user applications and the operating system.” This is the one that has the greatest impact on Intel processors, according to PC World.

What Intel had to say about Meltdown and Spectre

On Wednesday, Intel admitted to creating processors with the serious flaws that were originally revealed by British media outlet The Register. There were reports that processors made by other chip makers were not affected by the Meltdown and Spectre vulnerabilities, but Intel denied that this was true.

CNET reports that some designs made by ARM and AMD are also susceptible, although AMD has said there’s a “near zero” chance its chip designs are vulnerable. Investors seem to believe the reports about AMD being in the clear because its stock continues to climb today, as Intel’s loss has been AMD’s, NVIDIA’s and other chip makers’ gain.

Wide array of device types affected by Meltdown and Spectre

The problem is that so many processors share the same or very similar designs that vast numbers of devices are likely vulnerable. Further, it isn’t just personal devices that are vulnerable, but also major servers and other devices. Devices by Microsoft, Google, Apple, Amazon and many other manufacturers are vulnerable to Meltdown and Spectre.

Meltdown, in particular, affects servers, which means even the information you have stored in the cloud isn’t safe. Both Google Cloud and Amazon Web Services were vulnerable to Meltdown, although Google announced that it had already finished security all of its servers, while Amazon had said that it would finish doing so by Wednesday.

According to PC World, Spectre affects not only Intel CPUs but also processors made by AMD and ARM, which means that mobile devices are also at risk. Google explained that it’s more difficult to exploit Spectre than Meltdown but added that it’s also harder to mitigate Spectre’s risk than Meltdown. In fact, the search giant said that there might not even be a hardware solution to fix the risk posted by Spectre, which it explains “tricks other applications into accessing arbitrary locations in their memory.” In order to mitigate Spectre, device makers must harden the software loaded onto them.

Here’s the less-bad news about Meltdown and Spectre

These vulnerabilities also serious because they are a major design flaw in the hardware itself, which makes it much harder to correct without simply replacing the entire device. Although Meltdown and Spectre can be patched via security updates to the software, in this case, the less-bad news is that the security patches that will be needed could severely bog down performance on affected machines.

In fact, The Register claimed that the patches required to fix the two vulnerabilities could slow down affected devices by up to 30% in certain cases. However, Intel denied that this was the case in the statement in which it admitted that its chips had those vulnerabilities.

How to protect yourself from Meltdown and Spectre

Perhaps another bit of less-bad news about Meltdown and Spectre is that researchers agree that there is no evidence that any hackers have exploited these vulnerabilities in an attack. However, now that everyone knows that these vulnerabilities exist, hackers have probably been hard at work on exploits that they could use.

In order to exploit Meltdown and Spectre, hackers must install their exploits on a targeted device, so the odds of the average consumer’s personal devices being hacked are small. Still, it is certainly unsettling to know that these vulnerabilities exist.

Some Meltdown and Spectre patches available now

Device manufacturers are expected to roll out patches to fix the Meltdown and Spectre vulnerabilities, and many users will find that security patches have already been pushed out. Microsoft released a security update for Windows computers to mitigate Meltdown on Wednesday. Apple partially patched the vulnerability in macOS High Sierra 10.13.2 in early December, developer Alex Ionescu tweeted, adding that more safeguards will be included in version 10.13.3. A patch for Linux isn’t ready yet but should be soon.

If security patches aren’t yet available for all your devices, there are some things you can do to protect yourself. The main thing is to be even more vigilant than usual when it comes to clicking on links or doing anything else that could result in malicious software being installed on your device. Keep all of your software updated at all times, including your antivirus software, web browsers, and even Flash, if you are still using it. This is also an excellent time to run your security software to look for malicious software now.