MELTDOWN and SPECTRE
The big PC security flaws just revealed and explained
While everyone else had eyes on the “bomb cyclone” descending on the East Coast this week, computer security researchers and tech workers were wincing over something else: massive security flaws discovered that potentially affect the vast majority of personal computers and smartphones ever built.
Two security flaws, dubbed Meltdown and Spectre by researchers, allow processor exploits to steal passwords and other sensitive user data from almost any device made in the past 20 years, according to the New York Times.
Security researchers, including Jann Horn at Google and academics at Graz University of Technology, discovered the flaws. They had already disclosed the flaws last year to the big tech companies like Microsoft and Apple, and had planned to reveal them publicly in coming days.
The processor maker Intel was also informed of the potential exploits, and it may be worth noting that the company’s CEO, Brian Krzanich, sold $24 million in company stock and options in late November, according to Business Insider.
Now software companies are scrambling to push out updates. Google and Microsoft said by Wednesday evening that they had updated their systems to fix the Meltdown flaw, according to the Times. Some consumer fixes, including for PCs, have rolled out, but others are still in development.
There is no evidence yet that hackers have taken advantage of the security flaws. But once flaws are made public, the attention makes your devices ready targets, allowing skilled hackers easy access to your passwords, online bank accounts, and email.
Exploits are unfortunately common these days, as security researchers engage in an arms race with hackers and even nations to build walls around our increasingly connected world of devices.
Meltdown and Spectre are beyond the norm, however, because they allow exploits at the hardware level, the silicon in your machine. That makes fixing the problem much more challenging, as the exploits allow access to the most basic part of your computer.
How do Meltdown and Spectre work?
Processors are one of the building blocks of digital devices. They allow your device to “think,” by performing a staggering number of tiny calculations per second.
Modern devices work in “parallel,” allowing processors to perform different calculations for different applications at the same time. They can also store small bits of information. And this processor complexity is exactly what can be exploited, potentially even by a browser ad or email link.
The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain key strokes, passwords, and other valuable information.
Meltdown seems to affect only Intel processors, but the company has a near monopoly on processors for personal computers and servers. Spectre, however, is a more general flaw and may affect even more devices, though experts say the flaw is more difficult to exploit.
According to the security researchers who discovered the exploits, the data at risk “might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
The increasing connectivity of consumer products — say, a smart fridge or juicer — makes these exploits especially dangerous.
According to the Times, hackers could simply rent space on an unpatched cloud service and easily access customer data:
That is a major threat to the way cloud-computing systems operate. Cloud services often share machines among many customers — and it is uncommon for, say, a single server to be dedicated to a single customer. Though security tools and protocols are intended to separate customers’ data, the recently discovered chip flaws would allow bad actors to circumvent these protections.
The biggest cloud service companies, like Google and Amazon, say they’ve fixed their systems issues. But cloud services are an increasing part of many online and offline businesses, which may not act so quickly.
How do I protect myself?
Fixes are in the works for Meltdown but probably aren’t available yet on all your devices. The Verge reported Thursday:
Firefox 57 (the latest) includes a fix, as do the latest versions of Internet Explorer and Edge for Windows 10. Google says it will roll out a fix with Chrome 64 which is due to be released on January 23rd. …
For Windows itself, this is where things get messy. Microsoft has issued an emergency security patch through Windows Update, but if you’re running third-party anti-virus software then it’s possible you won’t see that patch yet.
Apple said that it released software updates to mitigate the Meltdown exploit for iOS, Macs, and the Apple TV in December and that further updates are forthcoming.
Fixes for Spectre may require hardware changes, which could take years to roll out as people buy new devices.
While you wait for fixes, the best thing you can do is to enable two-factor authentication, which uses login codes from your phone or email. Enable this on as many sensitive accounts as possible, create long passwords, and don’t reuse them. Also consider a password manager, which can create passwords for you (but make sure the manager itself is secure).
This is just sound advice in general. Whether or not these specific flaws are taken advantage of by hackers, future ones certainly will be.
And software fixes for Meltdown, when they come, may not be perfect: Patches for Meltdown could slow down computers in some cases by up to 30 percent. Andres Freund, a software developer, told the New York Times he had confirmed slowdown in testing on Linux machines. But some other experts say that that alarming figure will most likely only apply to servers and cloud services.
That’s potentially bad news for many small- and medium-size businesses that rely on complex networks, but the big tech companies have had time to grapple with the problem and have the money to mitigate any effects on consumers.
The bottom line: Don’t put off updating your devices because of fears of slowing them down.
Do I really have to care about this?
You are probably resigned by now to the malicious code panic cycle: A flaw is discovered or exploited, millions of sensitive personal data is/is not compromised, and we all push a few buttons to get the fix — and pray hackers ignore our helplessness.
While the threat of these newly discovered flaws is still hypothetical, little technical knowhow may be needed to exploit Meltdown, in particular. All it could take is an annoying banner ad to compromise your device.
So to be clear: You absolutely need to push those buttons. But the, ahem, specter of hardware-level security flaws may not be lifted anytime soon.