Spectre and Meltdown

What Happened?

During the Summer of 2017, researchers from around the world discovered a design flaw in the computer chips that serve as the brains for our computers and mobile devices. That design flaw — seen in Intel, AMD and ARM licensed chips — allows for two security vulnerabilities to be run, called “Meltdown” and “Spectre”. Both sound ominous and for good reason: the flaws “could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks” according to the NY Times. So, uh, yeh: that’s not good.

Who and What Caused the Problem?

These exploits are based on chip engineering flaws, not on software flaws. Apple, Google, Abode, Microsoft, and other software companies didn’t write poor software or bad Operating Systems to cause these problems to occur. Rather, the chip manufacturers — Intel, AMD and ARM — designed and then engineered computer chips with flaws built into them. Once discovered, those flaws allow the Meltdown and Spectre exploits to be run. Worse, these chips have been sold with consumer computers, servers and mobile devices since 1995. so the impact is, potentially, both personal and global in scope.

Why Did This Happen?

Unless you happen to be a computer chip designer, the details of this flaw — outlined here by an engineer at Google — look like a foreign language and might make your eyes glaze over like a donut:

I know: SUPER FUN reading, right?

In lay terms, these two flaws exist because, historically, computer chips have been engineered to function as fast as possible, not as safe as possible. The reason for that is — I’m sorry to say — you and me, friends. For generations of computers, we consumers have demanded the fastest possible chips to help run the fastest possible computers. As a result, 100% safety sometimes took a backseat to speed and… here we are.

How Do the Exploits Work?

Despite being specific to Intel chips, the Meltdown exploit is considered the more aggressive of the two threats. It works by “melting down” the security that’s supposed to exist between every software application on your computer and the OS which runs that computer. The Meltdown exploit breaks the mechanism which keeps any application on your computer from having access to other data which are supposed to exist in protected system memory, such as passwords, security keys, credit card info, text of any kind, and other personal information. It is now understood that any and all of that supposedly protected information is now considered at risk. Here is what running the exploit looks like in real time for those of you who are visual learners. Please note: NONE of the data you see in plain text on the right side of the screen should ever be viewable.

Spectre — an exploit which runs on chips made by Intel, AMD and ARM — works a bit differently. Whereas Meltdown works between an application and the operating system, Spectre instead works between multiple applications. Every application running on your computer has some amount of protected memory stored as it runs. If, for example, you’re running both Dashlane and Adobe Photoshop, then it’s been assumed that each of those applications has its own protected chunk of memory being held securely. Now, it’s known that Spectre breaks this supposed barrier between applications, making it possible to grab application data being held in protected memory. If one of those applications manages, say, all of your usernames and passwords, then you can understand how threatening this security exploit can be. Nothing, not even having best-in-class or state-of-the-art software applications, will help. All applications are just as easily exploited because this problem isn’t software-based, it’s hardware-based. Flawed computer chips means flawed memory protection and flawed memory protection means flawed security risks to users like you and me.

Who is at Risk?

In theory, everyone. In practice, both flaws require malicious hackers to have malicious software set up to take advantage of unsuspecting victims. However, achieving that goal is achievable. Apple has stated that “while these flaws are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser.”

Therefore, it’s best to assume that you might be impacted and take the precautions/actions which I recommend later in this article.

How Bad is This, Really?

Billions of computers and devices are impacted. That’s billions with a “b”. The flawed computer chips in question have been around since 1995 and can be found on our most common devices: desktops, laptops, cloud servers, smart TVs, streaming boxes like tv, smartphones, smartwatches and tablets. So the problem exists on a scope and scale that’s near unprecedented.

Paul Kocher is a pretty smart fella: he moderates security panels at international conferences, is the chief scientist at Cryptography Research, and happens to be one of the researchers who discovered the Spectre exploit. According to him, Spectre is “going to live with us for decades.” Here’s the most damning he said in that same NY Times story:

“We’ve really screwed up. There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”

— Paul Kocher, Security Researcher who co-discovered the Spectre exploit.

What Can be Done?

Software Updates

First, the good news. Because the flaws were discovered last summer, researchers have been working for months behind the scenes to develop patches before announcing the exploits to the public this week, which is standard operating procedure. That means two reasonably good things: it’s highly unlikely that anyone knew about these flaws until this week and software patches to address the Meltdown exploit are now available:

Apple: released fixes for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS didn’t require and fixing, they claim.

Microsoft: released Meltdown patches for their Surface hardware lineup including, the Surface Pro, Book, Studio, and Laptop devices. They’ve posted additional information about patching Windows OS for end-users and servers.

Ubuntu: aware of the problem and hope to release updates on January 9th.

RedHat: clicking on the “Resolve” tab at this link will take you to all available patches.

Other: An on-going and up-to-date list of additional vendors who are patching their software against Meltdown can be found at the bottom of this page.

If you own a device in question (and you do), make a backup of each device and then run these updates. For my guide on how to securely update your iOS device, click here. Yes, I’m serious: take the time to first backup each of your devices.

Now the bad news: the software patches that can be applied to fix the Meltdown flaw might slow your computer down, possibly by as much as 30% by some estimates. My take? The 30% estimates seem awfully high, but — even if true — I’d rather be slower by 30% but know that I’m safer. One counterpoint is Apple: they claim that that they are seeing “no measurable reduction” on the Meltdown patch and only about a 2.5% reduction with the Spectre fixes they hope to implement on the macOS and iOS updates to Safari.