WTF is Meltdown and Spectre? Here’s what you should know about these massive CPU exploits

Posted:  January 5, 2018   By:    14 comments   


Don’t you just love it when you wake up to a massive security exploit that affects pretty much every device you own that has a processor? If you do, you’re going to love it when you find out that there are actually TWO massive security exploits that affect pretty much every device you own that has a processor.

They’re called Meltdown and Spectre, and here’s what you should know about these vulnerabilities as well as what you can do to keep yourself safe.

What is Meltdown and Spectre?

The layman explanation is that these are exploits that can allow an attacker to read sensitive information from a computer’s memory including stuff like passwords, photos, messages, among others. If you want a more detailed explanation, you can check out Google Project Zero’s findings on the exploit. In essence, the exploits have something to do with the way the processors handle “speculative execution” which is a feature in modern processors to help increase performance.

What devices are affected?

According to Google, effectively every Intel processor released since 1995 is vulnerable to Meltdown while chips from Intel, AMD and ARM (that’s the ones in your phone), are vulnerable to Spectre exploits.

If that seems like a broad stroke to you, it’s because it is. This means that probably every computer you own right now is vulnerable to these exploits, including your smartphones, regardless of the operating system you run.

Apple has come out and said that “all Mac systems and iOS devices are affected”, but they note that “there are no known exploits impacting customers at this time”. In the meantime, they encourage their users to avoid downloading questionable software, instead sticking to software that’s available in the App Store only…which is pretty much what you should be doing anyway.

Google’s found that Spectre also affects Android devices but notes that the “exploitation has been shown to be difficult and limited on the majority of Android devices”.

AMD, on the other hand, has denied that their processors are affected despite what companies like Microsoft and Intel claim. AMD says that there is a “near zero risk to AMD processors” currently. According to the chipmaker, it’s because of how the AMD architecture is different so there’s practically no risk for those on AMD chips.

Besides that, PC World writes that Google has reported that the Chrome browser is also affected by Spectre. The Verge reports that the vulnerabilities also allow attackers to use JavaScript codes running in a browser to access memory in the attacker’s process. However, Google has deployed measures to mitigate it in the latest version of Chrome, version 63. Additionally, there will be more mitigation steps in Chrome 64 but in the meantime you can also opt-in to their new Site Isolation feature that can help in mitigating Spectre attacks.

If you want to learn more, you can also read iMore and PC World‘s articles about it for more in-depth explanations.

How can I protect myself from these exploits?

As far as something you can do right now, there really isn’t much. Since this exploit is so technical and deeply rooted in the CPU, all you can do is wait for patches to come in from your product/OS manufacturers. Still, this doesn’t mean that you should just sit on your hands and pray for the best. Instead, you should be making sure your devices are up to date with the latest software patches.

Major manufacturers have already pushed updates for this vulnerability to their devices. Microsoft, for example, pushed a Windows update on the 3rd of January 2018 protecting against Meltdown. Apple has also addressed these issues with macOS High Sierra 10.13.2, iOS 11.2, and tvOS 11.

Intel, has also revealed that they’re already releasing updates (in the form firmware updates and software patches) to patch these vulnerabilities for chips released in the last 5 years. According to them, they will hit the 90% mark of patched chips next week.

Google’s latest security patch (released in December) includes fixes to the vulnerability so if you’ve had your automatic updates on, you would have received it. On our end, our Samsung devices (Note8 and A8), Mi A1 and Huawei Mate 10 Pro have already received the December 2017 security patches so if you’re on a major manufacturers handset you probably already have yours too. If you’re running an older device, things might not be so simple because it’s up to your manufacturer to patch it.

However, patching this problem isn’t without its side effects. Reportedly, Intel’s fix for this vulnerability could cause performance to dip by anywhere between 5% to 30% depending on the type of task at hand. Intel remains adamant that everyday PC users won’t see dramatic slowdowns but have remained vague on which users/workloads will.

It also helps to make sure your antiviruses are working well to mitigate malicious hackers/software from using this exploit to obtain sensitive information in this time period where patch fixes are still rolling out. Most major manufacturers have known about this exploit since June 2017 and have been working on fixes since then.

Until everyone’s all patched up, the best you can do is make sure everything’s as up to date as it can and be careful when using your devices.

[SOURCE, 2, 3, 4, 5]

 


Android, Apple, Google, iOS, Microsoft, Mobile Devices, Mobile OS, News, Windows 10
, , , , , , , , , , , , , , , , , , , , , ,
Wanna say something?






 

14 Comments for WTF is Meltdown and Spectre? Here’s what you should know about these massive CPU exploits

swan

ops obviously u cant just fix this flaw with a 'battery replacement'. all ppl pls go sue intel for cheating yall kambing for decades.

    YKK

    Wah really? Then all Intel, ARM and AMD users are kambing, and lets sue them for billions, since these flaws have been there since the 90s.

      AdKiller

      Not according to AMD: http://www.amd.com/en/corporate/speculative-execu…

      Intel really screwed us big time on this one. Their performance has had many design short cuts that now come to haunt us.

        M.K

        AMD not immune to Spectre. Meltdown is a known flawed, easier to patch (albeit with some performance compromise). Spectre is more difficult, even patch is available, it's not know if it will solve the issue

        M.K

        As someone is saying, "All processors are vulnerable to Spectre. All current Intel processors are vulnerable to Meltdown as well." It's summed up pretty well.

anonymous

nothing new, snowden already warn this before,us govt tactics to impose exploit to spy on people

YKK

So for Apple, iOS 11.2 devices (5S and newer) are pretty much protected against Meltdown. So do OSX and tvOS. Now left Spectre and exploits via Safari, which will be released soon according to this latest statement:
https://support.apple.com/en-us/HT208394

I am shutting down my 1st gen iPad.

    Saladin

    All mac book use intel processor. So all mac since 90s also effected. Iphone screw up, mac book also screw up.

      YKK

      No hardware and software is flawless. It all depends on how these companies react and handle them. Some choose to abandon support earlier than the rests, or shifting the problem to others. As the post already explained, OS patches from some vendors have already been rolled out to plug these hardware holes.

      Asus PC running Windows with Intel processors, so, it’s Asus, Intel or Microsoft’s responsibility now?

JQ

Is Linux affected?

    Rangka Kacang

    Linux is an operating system not a central processing unit hardware but I don’t want to be rude, so to answer your question, you may still be affected due to the nature of the exploit.

YKK

iOS 11.2.2 update and others released, tackling Meltdown and Spectre.

https://support.apple.com/en-sg/HT201222

Can’t seem to find update or statement from the rests like Sam and Hua, all leave it to Google and Microsoft to kao tim ? Can someone can share some links or info?

    M.K

    Android are rely on Android security patch which just recently released. Next is up to vendor

SWong

How about those mid range phone that use mediatek processor?