Meltdown and Spectre, which take advantage of the same basic security vulnerability in those chips, could hypothetically be used by malicious actors to “read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications,” as Google puts it in a blog post.
The first thing you need to know: Pretty much every PC, laptop, tablet, and smartphone is affected by the security flaw, regardless of which company made the device or which operating system it runs. The vulnerability isn’t easy to exploit — it requires a specific set of circumstances, including having malware already running on the device — but it’s not just theoretical.
And the problem could affect much more than just personal devices. The flaw could be exploited on servers and in data centers and massive cloud-computing platforms such as Amazon Web Services, Microsoft Azure, or Google Cloud. In fact, given the right conditions, Meltdown or Spectre could be used by customers of those cloud services to actually steal data from one another.
Though fixes are already being rolled out for the vulnerability, they often will come with a price. Some devices, especially older PCs, could be slowed markedly by them.
Here’s what Meltdown and Spectre are. And, just as important, here’s what they’re not.
Am I in immediate danger from this?
There’s some good news: Intel and Google say they’ve never seen any attacks like Meltdown or Spectre actually being used in the wild. And companies including Intel, Amazon, Google, Apple, and Microsoft are rushing to issue fixes, with the first wave already out.
The most immediate consequence of all of this will come from those fixes. Some devices will see a performance dip of as much as 30% after the fixes are installed, according to some reports. Intel, however, disputed that figure, saying the amount by which computers will be slowed will depend on how they’re being used.
The Meltdown attack primarily affects Intel processors, though ARM has said that its chips are vulnerable as well. You can guard against it with software updates, according to Google. Those are already starting to become available for Linux and Windows 10.
Spectre, by contrast, appears to be much more dangerous. Google says it has been able to successfully execute Spectre attacks on processors from Intel, ARM, and AMD. And, according to the search giant, there’s no single, simple fix.
It’s harder to pull off a Spectre-based attack, which is why nobody is completely panicking. But the attack takes advantages of an integral part of how processors work, meaning it will take a new generation of hardware to stamp it out for good.
In fact, that’s how Spectre got its name.
“As it is not easy to fix, it will haunt us for quite some time,” the official Meltdown/Spectre FAQ says.
What are Meltdown and Spectre, anyway?
Despite how they’ve been discussed so far in the press, Meltdown and Spectre aren’t really “bugs.” Instead, they represent methods discovered by Google’s Project Zero cybersecurity lab to take advantage of the normal ways that Intel, ARM, and AMD processors work.
To use a Star Wars analogy, Google inspected the Death Star plans and found an exploitable weakness in a small thermal exhaust port. In the same way two precisely placed proton torpedoes could blow up the Death Star, so, too, can Meltdown and Spectre take advantage of a very specific design quirk and get around (or “melt down,” hence the name) processors’ normal security precautions.
In this case, the design feature in question is something called speculative execution, a processing technique that most Intel chips have used since 1995 and that is also common in ARM and AMD processors. With speculative execution, processors essentially guess what you’re going to do next. If they guess right, then they’re already ahead of the curve, and you have a snappier computing experience. If they guess wrong, they dump the data and start over.
What Project Zero found were two key ways to trick even secure, well-designed apps into leaking data from those returned processes. The exploits take advantage of a flaw in how the data is dumped that could allow them — with the right malware installed — to read data that should be secret.
This vulnerability is potentially particularly dangerous in cloud-computing systems, where users essentially rent time from massive supercomputing clusters. The servers in those clusters may be shared among multiple users, meaning customers running unpatched and unprepared systems could fall prey to data thieves sharing their processors.
What can I do about it?
To guard against the security flaw and the exploits, the first and best thing you can do is make sure you’re up-to-date with your security patches. The major operating systems have already started issuing patches that will guard against the Meltdown and Spectre attacks. In fact, fixes have already begun to hit Linux, Android, Apple’s MacOS, and Microsoft’s Windows 10. So whether you have an Android phone or you’re a developer using Linux in the cloud, it’s time to update your operating system.
Microsoft told Business Insider it’s working on rolling out mitigations for its Azure cloud platform. Google Cloud is urging customers to update their operating systems, too.
It’s a good idea to stay current with your Windows updates. (Screenshot from Matt Weinberger)
It’s just as important to make sure you stay up to date. While Spectre may not have an easy fix, Google says there are ways to guard against related exploits. Expect Microsoft, Apple, and Google to issue a series of updates to their operating systems as new Spectre-related attacks are discovered.
Additionally, because Meltdown and Spectre require malicious code to already be running on your system, let this be a reminder to practice good online safety behaviors. Don’t download any software from a source you don’t trust. And don’t click on any links or files claiming you won $10 million in a contest you never entered.
Why could the fixes also slow down my device?
The Meltdown and Spectre attacks take advantage of how the “kernels,” or cores, of operating systems interact with processors. Theoretically, the two are supposed to be separated to some degree to prevent exactly this kind of attack. Google’s report, however, proves the existing precautions aren’t enough.
Operating system developers are said to be adopting a new level of virtual isolation, basically making requests between the processor and the kernel take the long way around.
The problem is that enforcing this kind of separation requires at least a little extra processing power, which would no longer be available to the rest of the system.
As The New York Times notes, researchers are concerned that the fixes could slow down computers by as much as 20% to 30%. Microsoft is reported to believe that PCs with Intel processors older than the 2-year-old Skylake models could see significant slowdowns.
Intel disputes that the performance hits will be as dramatic as The Times suggests.
Some of the slowdowns, should they come to pass, could be mitigated by future software updates. Because the vulnerability was just made public, it’s possible that workarounds and new techniques for circumventing the performance hit will come to light as more developers work on solving the problem.
What happens next?
Publicly, Intel is confident the Meltdown and Spectre bugs won’t have a material impact on its stock price or market share, given that they’re relatively hard to execute and have never been used (that we know of). AMD shares are soaring on word that the easier-to-pull-off Meltdown attack isn’t known to work on its processors.
But as Google is so eager to remind us, Spectre looms large. Speculative execution has been a cornerstone of processor design for more than two decades. It will require a huge rethinking from the processor industry to guard against this kind of attack in the future. The threat of Spectre means the next generation of processors — from all the major chip designers — will be a lot different than they are today.
Google is urging customers of its Google Cloud supercomputing service, hosted from data centers like this, to update their operating systems. (Image via Google)
Even so, the threat of Spectre is likely to linger far into the future. Consumers are replacing their PCs less frequently, which means older PCs that are at risk of the Spectre attack could be used for years to come.
As for mobile, there has been a persistent problem with updating Android devices to the latest version of the operating system, so there are likely to be lots of unpatched smartphones and tablets in use for as far as the eye can see. Would-be Spectre attackers are therefore likely to have their choice of targets.
It’s not the end of the world. But it just may be the end of an era for Intel, AMD, ARM, and the way processors are built.