Meltdown and Spectre: Everything from smartphones and PCs to cloud computing, affected by the security flaws found in Intel, AMD, ARM and other processors, and the solution could slow down the devices
Meltdown and Specter are the names of security flaws that have been found within computer processors. They could allow hackers to steal confidential data without users knowing, one of which affected chips manufactured since 1995.
What are Meltdown and Specter?
Meltdown is a security flaw that could allow hackers to bypass the hardware barrier between applications run by users and the core memory of the computer, which is normally highly protected.
Specter is slightly different. Potentially, it allows hackers to trick applications that would otherwise be bug-free to leave secret information.
What types of devices are affected?
Virtually every computer device affected by Specter, including laptops, desktops, tablets, smartphones and even cloud computing systems. Some less powerful devices, such as certain Internet of Things gadgets, are not affected.
Serious security flaws have been found that could allow the attackers of confidential data, including passwords and banking information, processors designed by Intel, AMD and ARM.
The flaws, called Meltdown and Specter, were discovered by security researchers at Google’s Zero Project along with academic and industry researchers from various countries. Combined, used in all modern computers, including smartphones, tablets and computers of all providers and executed in any operating system.
Meltdown is “probably one of the worst CPU errors ever found,” said Daniel Gruss, one of the researchers at the Graz University of Technology who discovered the flaw.
It is believed that Meltdown mainly affects Intel processors manufactured since 1995, excluding the company’s Itanium server chips and Atom processors before 2013. It could allow hackers to bypass the hardware barrier between applications executed by users and the central memory of the computer. Meltdown, therefore, requires a change in the way the operating system handles memory to correct, which initial speed estimates predict could affect machine speed in certain tasks by up to 30%.
Specter’s flaw affects most modern processors made by a variety of manufacturers, including Intel, AMD and those designed by ARM, and potentially allows hackers to trick applications that would otherwise be bug-free so that leave the secret information. Specter is harder to exploit for hackers, but it is also harder to solve and it would be a bigger problem in the long term, according to Gruss.
Intel and ARM insisted that the problem was not a design flaw, although it will require users to download a patch and update their operating system to fix it.
Is it already being used to steal data?
The National Cybersecurity Center in the UK said there is no evidence that Meltdown and Specter are being actively used to steal data at this time, but the nature of the attacks makes them difficult to detect.
Experts expect hackers to quickly develop programs to launch attacks now that information is available. Dan Guido, executive director of the cybersecurity consulting firm Trail of Bits, said: “The vulnerabilities of these errors will be added to standard hacker toolkits.”
What can I do about it?
For the moment, you can only wait for the platforms to distribute their corresponding patches in the form of an update.
Intel publishes urgent updates to remedy Meltdown and Specter vulnerabilities in its processors.
The company ensures that this weekend they will release updates for “at least 90%” of the processors manufactured during the last five years. However, there is still a lot of work ahead. Both Intel and other companies are publishing their own security patches to try to make their products immune to these security flaws.
So far, Intel has denied that security problems are due to a failure of its products and ensures that other companies are also vulnerable. AMD denies these accusations.
Apple did not immediately comment.
Google said that Android devices running the latest security updates were protected, including its own Nexus and Pixel devices, and that users of Chromebooks would have to install updates.
ARM said that patches had already been shared with the companies’ partners.
AMD said it believes there “is near zero risk to AMD products at this time.”
Cloud services are also affected by the security problems. Google said it updated its G Suite and cloud services, but that some additional customer action may be needed for its Compute Engine and some other Cloud Platform systems.
Amazon said all but a “small single-digit percentage” of its Amazon Web Services EC2 systems were already protected, but that “customers must also patch their instance operating systems” to be fully protected.
Will the fixes slow my computer?
While the fixes for Spectre are not expected to have much immediate impact on the performance of computers, the nature of the fixes needed to protect against Meltdown could have a significant impact.
That’s due to the separation of the application and kernel memory required by the various operating systems to prevent the flaw being used to access protected data. Separating the two memory systems like this means that tasks that constantly require the kernel do to things, such as writing files to disk or sending data over a network, could be significantly slower due to the increased time it will take for the processor to switch between the application memory and the kernel memory.
Some early estimates predict up to 30% slower performance in some tasks. Whether users will notice a difference on their computers will depend on the task they are trying to do. Gaming, browsing and general computing activities are unlikely to be affected, but those that involve lots of writing files may become slower.
Some technologies, such as Intel’s Process-Context Identifiers (PCID) that was included with the company’s processors since 2013, can lessen the impact of the fixes if taken advantage of in the operating system.
Android Security Bulletin—January 2018
Published January 2, 2018 | Updated January 3, 2018
“The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2018-01-05 or later address all of these issues. To learn how to check a device’s security patch level, see Check and update your Android version.”
“Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.”
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”
“We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.”