comscore
News

Spectre and Meltdown: Security vulnerabilities explained, how to protect and more

The security flaws are said to affect almost every computer running on Intel, AMD, and ARM-based chipsets.

hack-stock-image

Today, a lot of us rely on computers to get our work done. We also use them for making bank transactions, to buy and sell stocks, book tickets and more. And with computers having such an importance, what if we tell you that a pair of chip-related security flaws could allow hackers to steal your passwords and other sensitive information? Sounds scary, right?

Researchers have discovered two security vulnerabilities called Spectre and Meltdown that take advantage of design flaws in microprocessors. It is not only limited to computers, but also affects mobile devices, and servers running in cloud computing network. If that’s not enough, Amazon said in a statement that this vulnerability “has existed for more than 20 years in modern processor architectures.” But what exactly are these vulnerabilities, what they do and how they affect? Let’s find out.

Meltdown and Spectre: What are the flaws, and how do they work

In 2017, Google’s Project Zero team collaborated with researchers from different universities across the globe to identify a massive problem related to ‘speculative execution.’ It is one of the techniques used in modern microprocessors to improve performance.

So, when a processor uses ‘speculative execution,’ it predicts which calculations it may need to do subsequently, rather than strictly performing tasks sequentially. It then solves them in a parallel fashion. Now, while the CPU does waste some cycles in carrying out unnecessary calculations, it performs a chain of commands much faster than waiting for the processes to complete one after the other.

However, there’s a serious flaw in the way processors are hardcoded to use speculative execution. Because of the vulnerability, processors don’t correctly check permissions and leak information about speculative commands that end up bring run. In turn, user programs can take a glimpse at the protected parts of the kernel memory, something that is supposed to be isolated from user processes all the times.

As The Verge explains, “The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process.”

What’s the risk?

As a result of these vulnerabilities, every major operating system – macOS, Windows and Linux – are affected. Also, everything from your stored files to passwords and keystrokes can be compromised. Even your passwords stored in browser or password manager, your personal photos, instant messages and emails are not safe. And if you think that an antivirus program is keeping your data safe, it is not the case.

While ‘Meltdown’ vulnerability affects Intel-powered desktops, laptops and MacBooks, the ‘Spectre’ flaw affects processors from AMD and ARM. This means, your smartphone is also likely to be affected from the flaw. And with connected devices such as a smart fridge or juicer to name a few, these exploits are even more dangerous.

The worst part here is that these vulnerabilities existed for the past 20 years. And according to a report on Business Insider, Intel was also informed about the potential exploits by the security researchers.

How to protect yourself from Meltdown vulnerability

Browsers

Web browsers are most widely used by almost everyone, and so, it is important to have them patched with the fix. And sure enough, Mozilla has released a patch for the flaw in Firefox 57 update, whereas Google and Microsoft are expected to release a patch for Chrome and Edge browsers soon.

Android

There are billions of Android smartphone users out there, and this is what makes it extremely important to have those devices protected from the vulnerability. According to Google, smartphones running on the latest Android version are protected from the vulnerabilities.

Microsoft

Luckily, the ‘Meltdown’ flaw has already been patched by companies. Microsoft has already released a patch for Windows 10 OS with a fix for Meltdown vulnerability, and it will soon be releasing patches for Windows 8 and Windows 7. In case you are having trouble installing the updates, Microsoft suggests disabling antivirus program, and use Microsoft Security Essentials or Windows Defender.

Apple

Apple has already released a statement saying that all Mac systems and iOS devices are affected, but there are no known exploits. The company has also releases “mitigation” for Meltdown in iOS 11.2, tvOS 11.2 and macOS 10.13.2 updates. However, the Spectre vulnerability will be tackled in the upcoming updates.

Researchers have found that in some cases, patches could slow down your computers by up to 30 percent. While you can protect your data from Meltdown vulnerability, there is currently no fix available for the invasive Spectre flaw.

  • Published Date: January 5, 2018 4:41 PM IST