The flaw name Meltdown & Spectre were discovered by Security Researchers at Project Google’s Project Zero in conjunction with academic and industry researchers from several countries.
Meltdown and Spectre are the name of two (2) serious security flaws that have been found in within computer processors. This Meltdown & Spectre allows cybercriminals to steal sensitive information from almost any computer, mobile device or even from the cloud. Not just that, this affects all current Intel, ARM and AMD processors, regardless of the devices.
Sounds Scary right?
The great news is patched have been created, to protect many affected systems and products and efforts are underway to update others. While the bad news is these fixes might slow down computer performance.
In order to understand where did, these threats come from, you first will need to understand the behind the scene process called speculative execution.
These speculative execution lets devise do some work ahead of time to speed up the routine task. But, it also creates a security vulnerability nobody expected.
Let’s imagine that your computer as a restaurant and you are the Cook. Every day you will see a pattern of your customers ordering the same menu for breakfast. Eventually, you will make order ahead of time to ensure the breakfast is ready when a customer comes starts to come. But how about if that regular customer decided to order different menu one day? Now, you as the cook will have to throw away the prepared breakfast and start over.Speculative execution works in a similar way.
Whenever computers perform calculations that aren’t actually needed, the results are thrown away. This data ends up in an unsecured part of the computer’s cache memory, where unauthorized users can access it through a side channel.
What are Meltdown and Spectre?
Meltdown is a security flaw that could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory, which is normally highly protected. Meanwhile, Spectre is slightly different. It potentially allows hackers to trick otherwise error-free applications into giving up secret information.
Why Data Left Unsecured?
Previously, back in 60’s computers were very self-contained and there is no way to see data being thrown away. Nobody thought it was a risk, and it was never secured. But, nowadays, computers and mobile devices share system resources with many applications and environments. Sharing is good, but when unprotected data from speculative execution ends in shared memory, it can become a serious issue.
Like robbers trying to rob your house, these cybercriminals will try hard to look for a loophole and use a side channel to sneak in and hijack data.
Even, worse, they can trick computers into loading any data like passwords and account information into the shared memory so they can steal it.
So what’s being done about Meltdown and Spectre?
When researchers identified them, they brought them to the attention of major technology companies. Hundreds of engineers came together to create patches that block Meltdown and Spectre attacks. It’s critical to install these patches right away and stay up to date with the latest releases of operating systems.
“Intel has begun providing software and firmware updates to mitigate these exploits,” Intel said in a statement, denying that fixes would slow down computers based on the company’s chips. “Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
In the future, system designs will change to eliminate these kinds of vulnerabilities for good. The reality is, computers will always have some securities issues. That’s why it’s so important to have as many engineers and developers looking for them as possible, and for companies to come together and solve problems that affect us all.
What can I do about it?
Update your computer with latest security fixes as soon as possible and as mobile users, you should receive updates from your manufacturer.
Apple has advised customers in a blog post to update their devices’ operating system and only download software from “trusted sources such as the App Store”.
Majority of our servers are patched now, where some older OSes are waiting for our vendor to patch it to the latest stable version. A kernel update required a server reboot. Please expect a 5-20 mins downtime on each server reboot.
We will also help our managed server clients to update the kernel and windows updates, which we will schedule in waves, and out of hours.
Following the reboot, it would also be advisable for unmanaged customers to update their virtual machine’s to secure them too if you are unsure how please contact our support team who will be happy to assist!
Read more here on our Meltdown and Spectre patching announcements
Related topics How to avoid Chrome Browser’s ‘Not Secure’ Warning