by Patricia Ames
James Bond would not be pleased. Last week, reports confirmed rumors that vulnerabilities in processors manufactured by Intel, AMD and ARM indeed existed. Somehow, the vulnerability has gone undiscovered for over two decades (at least officially), and affects chips manufactured since as early as 1995. Even more surprisingly, researchers from four different organizations spread out across the globe — Graz’s University of Technology, Cyberus Technology, Google’s Project Zero and Paul Kocher — each reported to Intel that they had discovered the bug within a month of each other. Since the news broke, Apple, Microsoft, Google, and other tech giants have released patches, but some experts are skeptical as to whether they will be effective or not.
I wanted to understand how this might affect my own company, so thought I would share with you, our dear reader, as well. At the very least, after reading this, you might be able to throw some of these tidbits out at the next cocktail party.
What is this all about?
The vulnerabilities are not a software bug, and thus affect most computers, smartphones and tablets, regardless of the operating system being used. Experts warn that even the servers of huge cloud-service providers, like AWS and Azure, could be affected.
Engineers have come up with “speculative execution” and “branch prediction” — among many other great innovations — in their efforts to get the most out of computer processors. The former enables processors to execute operations out of order, while the latter helps predict which operations it should execute next. These innovations may contribute to much faster processing speeds, but they also inadvertently provide hackers with a way to access very, very sensitive data.
Spectre and Meltdown exploit these vulnerabilities, which undermine some of the basic principles that keep computers secure.
The more sophisticated of the two, Spectre, is “harder to exploit” but “also harder to mitigate,” according to spectreattack.com. Spectre breaks the isolation between different applications. According to the researchers who discovered the vulnerabilities, an attacker could trick an application into leaking secrets by making it “speculatively perform operations that would not occur during correct program execution.”
Spectre affects desktops, laptops, cloud servers and smartphones. But more specifically, it affects “all modern processors capable of keeping many instructions in flight,” said the researchers. They also noted that they have verified Spectre on Intel, AMD and ARM processors.
While Spectre can break the isolation between different applications, Meltdown can break the isolation between user applications and the operating system. According to the researchers who discovered Meltdown, a Meltdown attack “enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer.”
However, Meltdown seems to be the more manageable of the two. Researchers who discovered the vulnerability note that “the KAISER defense mechanism for KASLR has the important (but inadvertent) side effect of impeding Meltdown,” and that immediate, wide-scale implementation is necessary to prevent “large-scale exploitation of this severe information leakage.”
Meltdown affects desktop, laptop and cloud computers. But if your device uses an Intel processor made since 1995 — which it probably does — then you are more than likely vulnerable. Researchers have yet to verify that Meltdown on AMD or ARM processors are affected (although ARM has said that some of their processors are also affected.)
What to do
While patches for Spectre and Meltdown are available — with more on the way or in the works — some are concerned that the fixes might affect performance. In a blog by Microsoft’s Executive VP of the Windows and Devices Group, Terry Myerson, we can see that the quick fix might come with some pain. He wrote that while Windows 10 machines with Skylake or Kaby Lake CPUs “show single-digit slowdowns” that users wouldn’t notice, older machines “show more significant slowdowns” in which “users will notice a decrease in system performance.” While updates for Windows 7, 8.1 and 10 were recently released, compatibility issues with some antivirus software, as well as devices with older AMD processors, have paused some updates as noted on Microsoft's support pages, so keep an eye out for information on both issues. And be sure to apply the firmware updates from your computer’s manufacturer as well as Microsoft's updates.
If you are on an Apple device, iOS devices should be running version 11.2.2; High Sierra devices should be on the 10.13.2 supplemental update and your Safari version should be 11.0.2. The patch is available as of Jan. 8 — refresh your updates page if it’s not showing up.
Then cross your fingers that all is well. News of the next security breach will invariably be coming soon.