Meltdown and Spectre processor security flaws – explained

“Meltdown” and “Spectre” are the names that have been given to two recently discovered serious security flaws found within computer processors. The flaws have the potential to allow hackers to steal sensitive data without a users’ knowledge. Chips made as far back as 1995 are potentially affected.

The Guardian published an article that described the individual flaws as thus:

“Meltdown is a security flaw that could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory, which is normally highly protected.”

“Spectre is slightly different. It potentially allows hackers to trick otherwise error-free applications into giving up secret information.”

Although the issues appear to have been known about for some time, the fact that they are now in the public domain means that hardware and software companies are making a concerted effort to fix the issues as soon as possible, to ensure that the vulnerabilities don’t become widely exploited.

The big concern with Meltdown is that, in theory, anything that runs as an application has the ability to compromise your data. Spectre is not quite so straight forward and would be harder for hackers to take advantage of, equally it is proving more difficult to fix and is expected to potentially be more of an issue in the long term.

How and what could be affected?

Desktops, laptops, smartphones and tablets as well as cloud computing systems have the potential to be affected by Spectre and as the processor is the primary chip in a computer, it technically carries out the instructions of a computer program. When you effectively tell a program to do something, by clicking the mouse or using the keyboard, the processor carries out that command, working with the rest of the system in order to perform what is asked.

When the news originally broke, it was thought that only Intel processors were affected, but it is now understood that Spectre affects all modern processors; including those manufactured by AMD and ARM in addition to Intel. With regards to Meltdown, the consensus appears to be that it only affects Intel chips manufactured since 1995. (With the exception of the Itanium and Atom chips made before 2013.)

What data is at risk and is it already being used?

The UKs National Cyber Security Centre (NCSC) has said that so far there is no evidence that either of the exploits are currently being used, but they also said that the nature of the attacks make them difficult to detect. However, experts are predicting that hackers will look to quickly develop programs to launch attacks now that the vulnerabilities have been exposed.

Because Meltdown’s issues are within the core system of a computer, it may have access to sensitive information including bank details, credit card info, logins and passwords “in memory”. Whereas Spectre can be used to fool applications into providing sensitive data, which potentially means anything processed by that application could be stolen.

What can be done to protect your systems and devices?

As always the advice is to update your computers with the latest security patches as soon as possible. However, be advised that some Antivirus products were originally seen to be incompatible with some of the fixes. You can see online here which programs were having issues. (Although by the time you read this blog these issues may very well have been resolved!).

Google devices running Android with the latest security update, including Google’s Nexus and Pixel smartphones, will already be protected. Whilst third party Android devices, such as those provided by Samsung and Huawei etc. are expected to push out their own fixes over the next few weeks.

Apple advised its customers in a blog post to update their devices’ operating systems and only download software from “trusted sources such as the App Store”. It also stated that Apple Watch was unaffected.

What impact will the fixes have?

Fixes for Spectre are not expected to have too much of a detrimental effect on a computer’s performance, however this may not be the case for the eventual fix for the Meltdown vulnerability.

Although no one really knows yet, some early estimates are predicting that the Meltdown fix could potentially cause computers to run as much as 30% slower. However, they are also stating that this slowness may not immediately be obvious and will be dependent upon the task that is being performed.

We hope this helps a little to explain what you may have been seeing in the news. If you have any question or concerns, please call us on 01905 758900, email or click here to arrange a suitable time for us to call you.