Pine Cove Blog

Meltdown and Spectre Explained: Vulnerabilities, Patches and Protection

Written by Jace Holyoak | Jan 5, 2018 7:02:09 PM

In the world of cyber-security news, 2018 is off to an impressive start. Just a few days into this new year, computer chip flaws have been discovered to be present in billions of devices. Two major flaws have been discovered in a large portion of the world's processors. The Meltdown and Spectre vulnerabilities are present in modern processors that are used to perform "speculative execution." That means that the processors are designed to execute and rapidly access multiple areas of the memory at the same time. The data that should be protected has been found to be vulnerable as the processor queues up information.

Spectre and Meltdown Deconstructed

These vulnerabilities are complicated but impact everyone with any sort of computing device -- desktops, laptops, smartphones, and cloud servers. So let's deconstruct these vulnerabilities.

First, Spectre. According to researchers, Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre opens up the possibility of attackers accessing sensitive data stored in memory such as webpage history and passwords. Spectre affects almost every system including Desktops, Laptops, Cloud Servers, and Smartphones. Spectre has been verified on Intel, AMD, and ARM processors.

Meltdown, on the other hand, breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. Meltdown affects every single Intel processor since 1995 (except Intel Itanium and Intel Atom before 2013).

The difference between the two is that Meltdown essentially melts the security boundary normally enforced by hardware while Spectre tricks applications into accessing arbitrary locations in their memory.

Shortly after the announcement of Spectre and Meltdown, Apple confirmed that all Mac systems and and iOS devices are affected.

What can you do about it

Unfortunately, there is really nothing you can do about either Meltdown or Spectre until patches are released for the operating system. The best thing you can do is familiarize yourself with the two major CPU bugs and download the patches as they are released. Intel is preparing to release a Spectre and Meltdown patch for 90% of processors introduced in the last 5 years by the end of next week. Apple, Google, AMD, and others are also expected to release patches in the coming days.

This post will be updated as patches are released to provide you the most current information and security.

For more information visit: meltdownattack.com which will continue to be updated by the researchers that originally discovered the vulnerabilities.