Don’t Meltdown, but Spectre Will Be Haunting Us For Years
A wave of cyberattacks plagued 2017, from WannaCry to NotPetya to, well… EquiFax and Uber’s little oopsie data leaks, but at least they waited until February before they started hitting us hard. But just two days into 2018, and we have not only Spectre, but Meltdown to worry about as well.
Unfortunately, Spectre and Meltdown aren’t actually cyberattacks so much as they are design flaws that have been present in computers’ Central Processing Units (CPUs) for the past 20 years. Even worse, this is not a case where changing your password is going to do any good (although we always recommend changing your password). These exploits take advantage of something called cache memory. Because of the way CPUs work, every keystroke you make passes through the processor and is stored in a temporary repository, AKA the cache memory.
Now typically, the cache memory is only accessible to the application associated with it; that is to say, Chrome can only access Chrome’s cache memory, and Microsoft Word can only access Microsoft Word’s. But when a processor performs a technique called speculative execution to predict what task is the most likely to be performed next, the changes to the processor’s state so that it can be detected, leaving the locations of stored data potentially vulnerable.
This infographic from firstpost.com outlines the differences between Meltdown and Spectre in greater detail
All of this begs the question: who has been affected by these design flaws? Very broadly, everyone who owns an Intel processor chipset is vulnerable to both, while AMD, ARM, and Nvidia are only going to be affected by Spectre. The fortunate thing is that there have been no confirmed attacks exploiting these vulnerabilities yet, and if you’re already practicing safe-computing (such as backing up your hard drive, running anti-virus/malware programs, and yes, changing your password regularly), you should be in no more danger than you were before the design flaws were revealed.
The most likely issue that consumers will encounter is that, as patches and fixes start rolling out, they may notice a dip in performance. Reports from Microsoft indicate that the older your computer, the more likely you are to notice system slowdowns, especially for users on Windows 8 and 7 computers. The other issue is that a few of the updates are just straight up bricking some computers. So far it’s just AMD based chipsets that have been affected in this way, but that’s still a significant fraction.
Despite the stopgap measures, permanently fixing the security issues that Meltdown and Spectre represent is not going to be easy. Speculative execution has been a part of CPU design since the 90s, and there’s a reason it took 20 years to discover the flaw. Computer systems are incredibly complex, meaning there isn’t always time or expertise available to catch every single flaw in the system. On top of that, resources are more likely to be allocated towards finding software flaws rather than firmware ones.
Now that researchers have found the flaw, though, it’s almost guaranteed that they will continue to find more over the course of the year. It’s like finding one ant on your kitchen counter; now that you’ve been alerted to one bug infiltrating your house, you’re going to be looking for the rest. But is it time to panic and throw all your electronic devices in the garbage (or at least, undergo the lengthy, expensive process of replacing your chipsets with ones not impacted by the design flaws)?
Well, even though Intel’s CEO, Brian Krzinach, sold all the stock he was legally able to offload in a suspicious coincidence of timing, it’s probably not that dire. Apple, Microsoft, and Linux are actively rolling out patches to minimize how much damage the flaws can do, and all browsers are getting updates as well. In fact, Intel anticipates having fixes out for about 90% of recent products. If your device is older than about 5 years, though, you might just want to look into it. It’s nearly the end of its life cycle anyway.
So while Meltdown and Spectre set a bit of an ominous tone for 2018, I remain cautiously optimistic. These two flaws were discovered before they could be utilized to wreak any wide-scale havoc, and the IT industry has responded quickly to get everyone as patched up and secured as possible. It’s important to remember that computer security is not a one and done thing like it used to be in the past. Keeping up to date with patches is now almost as important as changing your password regularly.