Meltdown and Spectre: How Everyone Is Affected

Although it may have been dubbed the “worst bug ever,” for many years, the mechanism behind security vulnerabilities Meltdown and Spectre was widely regarded as a cornerstone of modern processor design.

It was only at the turn of the year that talk of a serious threat to cybersecurity began making the online rounds. Without any substantial evidence, the subject was cautiously treated as a rumour, but after days of intensifying speculation, Intel were forced to finally come clean.

And so, in an astounding January 3 statement, the chip giant finally admitted that critical security flaws are indeed present in most modern-day processors, including ARM and AMD. Essentially, this conceded that no one is immune to the danger, as it affects virtually all personal computers, cloud servers, and mobile phones as well.

So what in the world happened?

A team of independent and corporate researchers first identified the fatal issues back in June 2017. According to various reports, they found the problem in a technique known as speculative execution.

While hardly easy to explain in layman’s terms, in order to understand this mechanism, it is useful to think of your computer as a local pub.

Every day, a loyal customer comes in and orders the exact same lunch. And so, given enough time, the chef eventually spots the pattern and begins preparing their meal in advance. Not only is this more efficient, but the customer’s food is always ready for them as soon as they walk through the door.

But what would happen if, all of a sudden, the customer decided to swap their usual burger for a gluten-free treat? Taken by surprise, the chef would be forced to throw out the meal he prepared beforehand and start all over again.

Essentially, this is what happens with speculative execution. Whenever computers make calculations that are no longer needed, they simply throw the results away.

But because this discarded data has historically been kept in an unsecured portion of cache memory, although programs are not usually allowed to access information from other applications, cybercriminals are potentially able to exploit this weakness in an attempt to steal valuable data.

Or, stated another way, your passwords, photos, emails and account information are no longer safe.

The “bugs” explained

Chipzilla’s monumental blunder makes way for two new forms of attack known as Meltdown and Spectre.

Meltdown

The aptly named Meltdown mainly affects Intel x86 microprocessors, though it may also wreak havoc in some ARM-based devices. The security flaw allows malicious applications to break into an operating system’s central memory and gain access to confidential data. Incredibly, computers manufactured as far back as 1995 are at risk.

While a meltdown attack is likely to prove disastrous to anyone, cloud computing platforms such as Amazon Web Services will probably be hit the hardest, as a single piece of malicious software could in theory become privy to the secrets of all its neighbours.

Spectre

In contrast to its Intel-focused counterpart, Spectre also affects AMD devices and is not reliant on any operating system. As a result, it is significantly harder to mitigate than Meltdown. Mercifully, however, it is also more difficult to exploit.

For those who do succeed, the vulnerability enables hackers to trick seemingly error-free applications into leaking their private data. They can do so by targeting the isolation barrier between different programs.

And paradoxically, applications which follow current best practices appear to actually increase their susceptibility to these sorts of attacks.

The good news

Thankfully, because the industry was able to keep quiet about Meltdown and Spectre for so long, all major operating systems have already released patches that seek to resolve the vulnerabilities.

This means that as long as you are running a supported version of Windows, macOS or Linux, you should be able to download and install a security update that will turn off speculative execution as early as today.

The bad news

Unfortunately, however, as explained above, speculative execution exists as an excellent form of optimisation. Without this standard technique enabled, your computer is likely to suffer from significant slowdowns that can vary wildly between 1 and 30 percent (depending on your system and how you choose to use it).

Avid gamers are in particular trouble, as evidenced by Epic Games’ recent blaming of Meltdown patches for the downtime and login problems in Fortnite, their popular survival game. In some tests, games were also shown to slow down by as much as 70 percent.

And those who rely too heavily on the cloud might even be met with an unwelcome increase in prices, as companies like Amazon will almost certainly have to buy more servers to compensate for a loss in performance and carry on offering the same capacity as before.

A word of advice

For better or for worse, it is clear that until chip manufacturers are able to update their design to accommodate a safer — and comparably efficient — alternative to speculative execution, all of us will be affected by these newfound vulnerabilities in some negative way.

Nonetheless, certain companies may be at an advantage when it comes to mitigation. Those running their own private servers and bespoke software, for instance, should be in no great hurry to patch up, as it is only third-party applications that represent a real risk.

And while this certainly does not apply to home computers, as long as you understand every process you are running, then the system should remain completely under your control.

For anyone else, however, it is time to stop reading and start patching!

David Blackwood

Comments are closed