Spectre and Meltdown – The Plot, The Patch and The Problem
Dawn of 2018 and we were welcomed by two, mother of all, vulnerabilities, Spectre and Meltdown. The attention and coverage that these two got was nothing less then sensational, and rightly so.
Are you affected?
The simple answer is YES. If you are using a PC or Mac or a Phone, you are one of the victims. The good news is, both these vulnerabilities are either patched (fixed) or being patched by Apple, Microsoft, Google and Intel.
Should you be worried?
Not really. Most affected devices are either fixed or being fixed using a software update from respective manufacturer. Make sure when prompted you update your device’s software, keep your anti-virus up-to-date and you will be safe as ever.
Meltdown and Spectre… English Please!
For non-geek, announcements by the tech-giants are confusing and difficult to understand. Here is a simple understanding of what they are.
Firstly, Meltdown and Spectre are two separate threats. But since, both have been identified together and affect the Processors / CPU (the chip inside the computer or phone), you will often find them mentioned together, like in this article.
Since both are exploiting a weak process in the CPU, there is no easy fix apart from a software update. However, this is like putting plaster to avoid further damage. Real fix will come with next generation of processors, and only if the manufacturer wishes to do so.
Most Intel Processors (all PCs and Macs), Apple’s new A series processors (iPhone 5 onwards) and Qualcomm’s 845 processors (Samsung S8 and S8+) are potential targets.
Meltdown exploits “privilege execution flaw”, this allows applications to access kernel memory. In other words, application can run any code on the device, gives access to all data.
This flaw affects almost all the modern processors.
Spectre doesn’t need to find a way to execute code on your computer because it can trick the processor into executing instructions for it, then granting access to the data from other applications. This means an exploit could see what other apps are doing and read the data they have stored. The way a CPU processes instructions out of order in branches are where Spectre attacks.
Although the Spectre has larger reach, both has the potential to be catastrophic.
Who and How were they found?
There was a huge backlash on Google’s Project Zero Team, who initially alerted chip makers of the flow, back in June 2017. Typically, Project Zero team releases the flaw details to public 90 days after it notifies the manufacturer. Surprisingly, they didn’t, and by Nov / Dec more people reported the issue.
Is It Fixed?
Yes and No. Intel, Apple, Google, Microsoft and many have patched the flaw, however, this doesn’t fix the issue. In fact the flaw will be resolved only in the future processor using new architecture. Moreover, due to fragmented Android eco-system, even-though Google released a security patch, many OEMs like Samsung etc… have yet to release the fix for their devices.
How can you prevent it?
For Windows Devices (PCs and Laptops)
- Install January 2018 Patches
For Apple Devices (Mac, iPads and iOS)
- Mac users make sure you have Mac OS update 10.13.2 installed.
- iOS users (iPad and iPhone) install iOS update 11.2.2.
For Android Phones and Tablet users
- Google has released patch for Android users in January 2018 Security Update. If you are using Pixel or Nexus phones, you are in luck.
- Samsung users will get updates for Galaxy S6 onwards and Note 5/Edge, Note 8 and Tab 3. No date for release. Other Samsung phones are not covered, as on this report.
- Other brands are working to release the security updates.
- You should also download updates from your PC / Device manufacturer’s site.
- Microsoft announced some of the updates prior to 5th Jan 2018, may interfere with Anti Virus software.
- Some of the fixes have caused AMD processors to mal-function, please tread carefully before applying patches.
- Patches may impact performance on PCs with older processors.
The Good, The Bad and The Ugly of these fixes:
The Good: Meltdown and Spectre had industry giants working in tandem. They have worked together at a great speed to minimize the impact to the consumer.
The Bad: Still many PCs and Phones remain unprotected due to lack of admin resources and OEM inactivity.
The Ugly: These are just the patches and not a permanent fix. As per industry experts, permanent fix requires redesigning the processor architecture, which isn’t going to happen in the immediate future. The fix may also slow down the processors and we may experience reduced computer performance.
While the response to Meltdown and Spectre hasn’t been as smooth as one would have liked, tech companies appear to have done a thorough job. Meltdown, though easier to exploit, is also easier to protect against; the operating system changes appear successful.
Spectre, however, is going to be a difficult problem to fix. It doesn’t have any simple fix. Unlike the other attacks, there doesn’t appear to be any way of implementing an operating system-level fix, and the application of appropriate application-level fixes is in all likelihood going to require a lot of manual efforts by developers.
Stay safe! Keep patching!!
See below useful articles on Spectre and Meltdown;