Security experts have identified two major security flaws present in the microprocessor chips used in just about every computer in the world. Known as Meltdown and Spectre, the flaws are not only present in most desktop computers, Apple products and mobile smartphones, but also on the servers that major cloud hosting companies sell as services to host websites and for cloud computing.
Even worse news is that there is no easy fix for Spectre and the only fix likely to work for Meltdown could slow computers down by as much as 30%. The flaws have already gained such notoriety that they have their own logos.
Meltdown would probably require a hacker to surreptitiously install software on your computer but then could access kernal memory on your comptuter to grab information in ways which wouldn’t normally be possible. For personal computer users if you’re not tricked into installing malicious software then you’re probably pretty safe, but for cloud computing services it’s harder to protect against. Hackers could simply rent space on a cloud service just as any legitimate customer could and from there they could potentially grab information from other users on the same service.
Spectre works in a similar manner but instead of accessing the kernel gets programs to perform unnecessary operations to grab data.
With both Meltdown and Spectre only small snippets of information could be captured so it would take a highly sophisticated hacker to gather enough data to stitch back together into meaningful useful information that would be used.
Patches for Meltdown are expected to be rolled out by Microsoft today for Windows 10 with Windows 8 and Windows 7 patches to follow. Apple macOS 10.13.2 is secure but earlier versions will also need to be patched. Android devices with the latest security update are protected and Google are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.
Patches for Spectre are going to be much harder to implement due to the way that modern computers operate.
The real kicker is that the best way to protect against the Meltdown and Spectre vulnerabilities appears to be to dump memory more often. The way computers work is to try and hold the information required in RAM which is the fastest memory as opposed to hard drives which work at relatively slow speeds. Keeping memory empty means that the data has to be retrieved from slow storage when needed and this is what could result in computer running at anything up to 30% more slowly if patches are applied, this will be more of an issue for cloud computing than for desktops.
Far from being an easy fix, Meltdown and Spectre have the potential to affect computing for years if not decades into the future. Much of the media has focused on Intel as one of the largest chip manufacturers and they suggest that for the average user performance impacts should be minimal and will be mitigated over time.
“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
– Intel
