What Linux Users Must Know About Meltdown and Spectre Bugs Impacting CPUs

Brief: Meltdown and Spectre are two vulnerabilities that impact almost all computers, tablets and smartphones on the earth. Does it mean you can be hacked? What can you do about it?

If you think 2017 was the year of security nightmares, 2018 looks to be even worse. The year has just started and we already have two major vulnerabilities impacting almost all the processors made in the last 20 years.

Perhaps you already read a lot about it in detail on various websites. I am going to summarize them here so that you would know the essentials of these vulnerabilities, their impacts and how can you protect yourself from Meltdown and Spectre in this short article.

First, let’s see what are these bugs actually.

What are Meltdown and Spectre bugs?

Meltdown Spectre bugs and Lnux

Meltdown and Spectre are similar vulnerabilities that impact the processors of a computer (also called CPU). Your smartphone and tablets are also a type of computer and thus these CPU vulnerabilities may also impact them.

While the vulnerabilities are similar, they are not the same. There are some differences.

Meltdown

Meltdown vulnerability allows a program to access the kernel’s private memory areas. This memory can contain the secrets (including passwords) of other programs and the operating system.

This makes your system vulnerable to attacks where a malicious program (even a JavaScript running on a website) can try to find the passwords from other programs in the kernel’s private memory zone.

This vulnerability is exclusive to Intel CPUs and it can be exploited on shared cloud systems. Thankfully, it can be patched by system updates. Microsoft, Linux, Google and Apple have already started to provide the fix.

Spectre

Spectre also deals with kernel memory but it is slightly different. This vulnerability actually allows a malicious program to trick another process running on the same system to leak their private information.

This means a malicious program can trick other programs like your web browser to reveal the password in use.

This vulnerability impacts Intel, AMD and ARM devices. This also means that chips used in smartphones and tablets are also at risk here.

Spectre is hard to patch but it is hard to exploit as well. Discussions are ongoing to provide a workaround through a software patch.

I recommend reading this article on The Register to get the technical details about Meltdown and Spectre bugs.

Intel calls Meltdown bug “working as designed”

What’s worse is that Intel tried to defend it in a sugar-coated Press Release that reads only one thing: everything works as designed.

Linux creator Linus Torvalds seems to be unhappy with Intel’s excuses and accused Intel of not willing to provide a fix. The Register has even more hilarious takedown on Intel’s press release.

Since the vulnerability has been disclosed, Intel’s share prices have fall down and AMD’s have gone up.

Is it catastrophic?

It was Google who first identified these vulnerabilities in June last year and alerted Intel, AMD and ARM. As per CNBC, security researchers had to sign the non-disclosure agreement and keep it a secret while working to fix the flaw.

Interestingly, Canonical claims that it was agreed by all the operating systems to provide the fix on 9th January 2018 at the same time as the public disclosure of the security vulnerability but this didn’t happen.

While these bugs impact a huge number of devices, there have been no widespread attacks so far. This is because it’s not straightforward to get the sensitive data from the kernel memory. It’s a possibility but not a certainty. So you should not start panicking just yet.

How to protect your computer from Meltdown and Spectre?

Well, there is nothing you can do on your side except for waiting for the updates to arrive. Most Linux distributions including Ubuntu, Mint, Fedora etc have already released patches. Other Linux distributions and operating systems should also get the fix soon (if they haven’t got it already).

There are also updates available for web browsers. So, keep a check on system updates and install them as they come.

Will the Meltdown fix slow down your computer?

The short answer to this question is yes, it will. If you use Intel CPU, you may notice a drop of 10-30% in the performance after you apply the software update for Meltdown. In fact, several researchers claim that Intel deliberately kept the vulnerability open in order to get the slight performance boost over its competitor AMD.

Similar Posts

  • Security issues have always been there, since the beginning of programming, even when the data is encrypted, sooner or later it will be decrypted, so it is better to keep your vulnerable private data at home.

    I will not blame here anyone, cause it is a question of character.

    God bless you :-)

    Namaste

  • My laptop has the following processor

    “model name : Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz”

    do i have to worry about the above mentioned vulnerability issue ..?

    • To put it quite bluntly, if you own a CPU that has been developed, implemented and sold any time since the mid 1980’s, it is a concern to you, but the likelihood of you, specifically, being attacked is unlikely.

  • Isn’t eh answer to simply not allow any malicious programs to access your computer in the first place? Isn’t that what AV software is for? And if I take the drastic step of preventing javascript in my browsers, how then can any malicious code run?

    • As malicious software as a whole can mutate/re-iterate to work around any stop you may personally put into place have, A/V software is not bulletproof. Sure, you can disable Javascript, but what happens if the developers of Spectre or meltdown decide to port their code to PHP, Python, ASP, or any other language that can store executable, kernel-level code? How would you stop the ported code from issuing and executing CLI commands?

      What I’m getting at for the scenario you present is that Javascript merely was the language that the programmer decided to use. The only limitation imposed is the extent/fluency of the programmer, and no amount of software checks can be put into place if the code has the ability to morph its signature.

  • I think the loser here is going to be the home users, they will not get compensated while the enterprise users will, that assuming they can’t fix the problem and it seem at the present time they can’t. I think because of the alleged story behind this perhaps Intel should be fined and I mean fined.

    • I highly doubt that a vulnerability of this scope was not something that was taken into consideration when Branch prediction or SDRAM were designed, seeing as how the patent for memory-dependence prediction predates windows 98 and Speculative execution was introduced about the same time Personal Computers were introduced into the home. It would, however, be very interesting to know when CPU manufacturers started understanding the potential vulnerabilities with their prediction algorithms.