What are Spectre and Meltdown CPU vulnerabilities and are you affected?

In this digital age of technology, technology helps us in getting connected to one another and be more productive. But have you ever wondered how secure they are? Well, new Vulnerabilities named Spectre and Meltdown, which exploit critical vulnerabilities in modern processors have just been discovered. These hardware bugs allow programs to steal data being processed on the computer.

Meltdown vulnerability

Meltdown vulnerability

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

This vulnerability would allow malicious attacks to take place when a hacker could break the differentiating factor between the applications run by the user and the Core Memory of the Computer.

Severity:

We would like to call Meltdown one of the most dangerous vulnerability ever found at least for a CPU. Daniel Gruss is one of the researchers at Graz University of Technology and is one of the people responsible for discovering this flaw. In a statement he said:

Meltdown is probably one of the worst CPU bugs ever found!

He also talked about the urgency of this situation and how important is it to fix this flaw in such a quick notice as it leaves serious vulnerability to users all around this globe. This leaves millions of devices vulnerable to serious attacks. This is so important to be fixed because anything that runs as an application can steal your data. This includes any application programs or even Javascript script running on a web page on any given browser. This makes Meltdown really dangerous for us and easy for hackers.

Spectre vulnerability

Spectre vulnerability

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

Spectre is slightly different from Meltdown. This is so because it can allow hackers to fool the applications (even the stable versions of the respective application) running on a machine to give up secret information from the Kernal module of the operating system to the hacker with the consent or knowledge of the user.

Severity:

Even though it is stated to be harder for the hackers to take advantage of but you should always be careful because it is you who is vulnerable. Also, it is worth noting it is harder to be fixed as well and can lead to a bigger issue in the long-term plans.

Are you affected by Spectre or Meltdown vulnerabilities?

Desktop, Laptop, and Cloud computers may be affected by Meltdown. Every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

As fas as Spectre is concerned, almost every system is affected by it- Desktops, Laptops, Cloud Servers, as well as Smartphones.

Well, if you are running any of the modern processors no matter if they are made by Intel, AMD or ARM or what device you are using them on, you are vulnerable to Spectre.

On the other hand, if you are running Intel chips that were manufactured since 1995, you are vulnerable. But there is an exception of Itanium and Atom chips that were made before 2013.

Who has been attacked yet?

As per the information from UK’s National Cyber Security Centre, the is no current trace of Meltdown or Spectre affecting any machines around the globe, but it is also worth noting that these attacks are so sensitive that they are really difficult t be detected.

Experts have said that they expect hackers to quickly develop programs to start attacking users based on the vulnerability as it is public now. Chief Executive of Cybersecurity Consulting firm Trail of Bits, Dan Guido said:

Exploits for these bugs will be added to hackers’ standard toolkits.

Here is how you can stay safe:

What you need to do is keep all your device up to date with newest fixes available. Enabling Strict Site Isolation in Chrome and preventing JavaScript from loading are the other precautions you could take.

However, US CERT has said – “Replace CPU hardware. The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware.”

We know that fixes for Linux and Windows Operating Systems are already available. Chromebooks are already safe if they are running Chrome OS 63 that was released in mid-December to the public. If your Android phone is running the latest security patch, it is already protected. For users having Android phones from other OEMs like OnePlus, Samsung or any other OEM, you have to wait for an update from them about the same. Most of the popular browsers & software developers too have released updates – and you need to make sure that you have updated your software to the latest version.

Microsoft has released a PowerShell cmdlet that lets you find out if your Windows computer is affected by Meltdown and Spectre CPU Vulnerabilities and suggested ways on how to protect your system from it.

A list of continually updated compatible antivirus & security software is available here.

Do these fixes affect the performance of my machine?

Well, it is said that the fixes for Spectre won’t immediately affect the performance of the machine, but the fixes for Meltdown will significantly affect the performance.

If you wish to dig down more about these vulnerabilities, you can refer to this official documentation about the same here.

Related read: Intel processors have design flaws, results in ‘Kernal Memory Leaking’.

Posted by on , in Category Security with Tags
Ayush has been a Windows enthusiast since the day he got his first PC with Windows 98SE. He is an active Windows Insider since Day 1 and is now a Windows Insider MVP. He has been testing pre-release services on his Windows 10 PC, Lumia, and Android devices.