Security researchers disclosed a set of vulnerabilities that allow hackers steal sensitive information from any computing devices. Vulnerabilities are basically chip design flaws found in chips from Intel Corp., Advanced Micro Devices Inc., and ARM Holdings.
The affected devices include computers, smartphones, tablets, wearables and more running on nearly all operating systems. Companies are now rushing to issue patches to prevent the exploitation by hackers. Even after patches are available, many computers will still remain exposed to one of the flaws. Apple has confirmed that all of its devices are affected and it also released some patches and more will follow soon.
Google researchers discovered the vulnerabilities in June and reported to affected chip design companies. Amazon Web Services also pointed out that the vulnerabilities have existed for more than 20 years.
What are the flaws?
Meltdown and Spectre are two flaws that have affected all computing devices across the globe. A successful exploitation can allow hackers to access your sensitive data held in memory of a device.
Who is affected?
Everybody. Yes, you as well.
What is causing the security flaw?
The issue is due to a feature called ‘Speculative execution’ used in all modern processor. It allows computer’s processor to access the set of information before it is needed. The computer predicts what command or path a programme required before it was requested. If the prediction is wrong, then the execution is rolled back. Now the problem is that it also relies on access to privileged ‘kernel memory’. It should remain protected.
What if a malicious program exploits it to access the kernel memory that contains data like passwords, encrypted information, etc. Even attacker can use the Javascript running in the web browser to access protected memory.
Google’s researcher confirmed that attacker will still need access to the machine in order to successfully exploit the vulnerability.
Here, we are talking about two terms: Meltdown and Spectre. So, let us understand what are these.
What is Meltdown?
Meltdown enables a program to access the protected kernel memory. It affects only Intel processor. As it ‘melts’ boundaries, it got its name. It is there for last 10 years or more. As most of the PC uses Intel Chipset, it affects millions of devices and Firmware updates for hardware will be needed to fix it.
Meltdown can be fixed by kernel page table isolation, but it will affect the performance.
What is Spectre?
Spectre exploits break down isolation between different applications. It allows an attacker to trick error-free programs and leak their secrets. It is harder to exploit but harder to fix at the same time. It affects every single known device based on all kind of chip architecture. It got its name due to speculative execution. Spectre is not likely to be fully fixed anytime soon.
For now, there is no proof of Meltdown or Spectre being used to attack any consumer devices. But Google’s Project Zero team was able to show this kind of attack in action.
Should you be worried?
As a consumer, you should be worried as these are serious flaws. The exploitation does not leave any traces, so you cannot detect if someone has exploited any of these flaws against you. Software patches will be issued to fix these issues, but patches will also slow down your devices. As per reports, the performance is expected to go down by 20 percent once the fixes have been applied. Users should be ready to accept the slow performance to fix these flaws.
Windows 10 has automatically got updates and the update was pushed on January 3, 2018. Windows 8 and Windows 7 users will have to wait till Tuesday. Apple has released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2. It will also release updates for Safari on macOS and iOS soon.
Google will push the update for Chrome and Chrome OS soon. But Google confirmed that ChromeOS versions prior to 63 are not patched. Firefox users should also update to Firefox 57.0.4 to ensure they are protected.
You should also update your anti-virus software to keep your system protected.
