what you need to know_
Virtually every computer, mobile and cloud device is vulnerable to two serious flaws which could allow passwords and other sensitive data to be leaked, according to reports by Google Project Zero, and other independent researchers. This story has caused tremors across the tech world, with people clamouring to find out what the problem is, and the solution.
‘Meltdown’ and ‘Spectre’ are both hardware bugs that allow programs to access and collect sensitive data, regardless of the computer’s operating system. Programs are generally not supposed to be able to do this, as it could result in stored passwords, personal photos, emails, documents and direct messages being taken without the user’s express permission.
Because Cloud computers can also be affected, this means that anyone who uses the cloud system could have their data stolen and shared with another party. The harm that these bugs make possible is far-reaching, meaning that most computer-users are vulnerable. Here’s what you need to know about how these bugs work, the potential effects, and what needs to be done to mitigate the worst of those effects.
Spectre
Spectre works by breaking down the barriers between different programs. An attacker can fool programs into leaking sensitive or protected data.
Spectre attacks are a type of “micro-architectural attack”. The vulnerability that Spectre uses is called ‘speculative execution’ (The origin of the bug’s name), a method of optimisation whereby a task is executed before it is known to be required. If the task is not required then the execution is reversed. It’s a way of the computer guessing what needs to be done when the answer isn’t certain. This increases the computer’s performance. But Spectre attacks work by tricking computer applications into arbitrarily accessing locations in their memory, where the secret data may be.
Almost every computer uses the kinds of executions Spectre exploits. Spectre is harder for attackers to use than Meltdown in obtaining data, but is also more effective in avoiding prevention strategies. There are software patches against some specific Spectre attacks.
Meltdown
Meltdown uses applications to break into the computer’s operating system, and through to the computer’s memory and the secret information contained within programs on the system.
Meltdown uses out-of-order executions to access sensitive data. Out-of-order executions execute tasks in the wrong order if some instructions are incomplete, meaning that the processor does what it can without stalling, cutting down on time idling in order to improve performance. Like Spectre, Meltdown uses this irregular functioning, meant to improve efficiency, as a way in to secret information.
Every Intel processor that uses out-of-order executions is vulnerable to Meltdown. This essentially means every processor from 1995 onwards.
Consequences
These bugs allow attackers to obtain content from the memory of your computer, including personal information that could be used to access files and documents, your bank account or business, or facts about you. It’s unlikely that an antivirus program or firewall can prevent, because Meltdown and Spectre can’t easily be distinguished from harmless applications as malware normally can.
The experts don’t know if these bugs have been used in the ‘wild’, as a real method to extract data, but as these bugs are now widely known, it gets more and more likely that they will be used. This increases the need for suppliers to find fixes for these problems.
Prevention
The only real prevention you can have is a patch that fixes the bugs, given the difficulty in using antivirus software and the impossibility to detect an attack. There are already patches and security updates being developed for various devices:
Windows PC: Likely the most vulnerable to Meltdown and Spectre, but there is already a security update for Windows 10, and previous versions, to address this.
Mac: Apple was slow to admit that all Macs were at risk, but has since created a series of fixes in macOS 10.13.2. Be sure to keep an eye out for the latest updates and make sure you’re running the latest version of the OS.
iPhone: iPhones are susceptible too. There are ‘mitigations’ against Meltdown in iOS 11.2, but no patches for Spectre have yet been developed.
Android: Google is in the process of developing patches for the Android and other products, and is set to release a security update soon.
Chromebook: Google was ahead of the curve, releasing Chrome OS version 63 in December which includes features to avoid the flaws altogether. If you don’t have that version, here’s a list of Chrome devices and whether an update is coming.
