Brief: Meltdown and Spectre are two vulnerabilities that impact almost all computers, tablets and smartphones on the earth. Does it mean you can be hacked? What can you do about it?
If you think 2017 was the year of security nightmares, 2018 looks to be even worse. The year has just started and we already have two major vulnerabilities impacting almost all the processors made in the last 20 years.
Perhaps you already read a lot about it in detail on various websites. I am going to summarize them here so that you would know the essentials of these vulnerabilities, their impacts and how can you protect yourself from Meltdown and Spectre in this short article.
First, let’s see what are these bugs actually.
What are Meltdown and Spectre bugs?
Meltdown and Spectre are similar vulnerabilities that impact the processors of a computer (also called CPU). Your smartphone and tablets are also a type of computer and thus these CPU vulnerabilities may also impact them.
While the vulnerabilities are similar, they are not the same. There are some differences.
Meltdown vulnerability allows a program to access the kernel’s private memory areas. This memory can contain the secrets (including passwords) of other programs and the operating system.
This vulnerability is exclusive to Intel CPUs and it can be exploited on shared cloud systems. Thankfully, it can be patched by system updates. Microsoft, Linux, Google and Apple have already started to provide the fix.
Spectre also deals with kernel memory but it is slightly different. This vulnerability actually allows a malicious program to trick another process running on the same system to leak their private information.
This means a malicious program can trick other programs like your web browser to reveal the password in use.
This vulnerability impacts Intel, AMD and ARM devices. This also means that chips used in smartphones and tablets are also at risk here.
Spectre is hard to patch but it is hard to exploit as well. Discussions are ongoing to provide a workaround through a software patch.
I recommend reading this article on The Register to get the technical details about Meltdown and Spectre bugs.
Intel calls Meltdown bug “working as designed”
What’s worse is that Intel tried to defend it in a sugar-coated Press Release that reads only one thing: everything works as designed.
Linux creator Linus Torvalds seems to be unhappy with Intel’s excuses and accused Intel of not willing to provide a fix. The Register has even more hilarious takedown on Intel’s press release.
Since the vulnerability has been disclosed, Intel’s share prices have fall down and AMD’s have gone up.
Is it catastrophic?
It was Google who first identified these vulnerabilities in June last year and alerted Intel, AMD and ARM. As per CNBC, security researchers had to sign the non-disclosure agreement and keep it a secret while working to fix the flaw.
Interestingly, Canonical claims that it was agreed by all the operating systems to provide the fix on 9th January 2018 at the same time as the public disclosure of the security vulnerability but this didn’t happen.
While these bugs impact a huge number of devices, there have been no widespread attacks so far. This is because it’s not straightforward to get the sensitive data from the kernel memory. It’s a possibility but not a certainty. So you should not start panicking just yet.
How to protect your computer from Meltdown and Spectre?
Well, there is nothing you can do on your side except for waiting for the updates to arrive. Most Linux distributions including Ubuntu, Mint, Fedora etc have already released patches. Other Linux distributions and operating systems should also get the fix soon (if they haven’t got it already).
There are also updates available for web browsers. So, keep a check on system updates and install them as they come.
Will the Meltdown fix slow down your computer?
The short answer to this question is yes, it will. If you use Intel CPU, you may notice a drop of 10-30% in the performance after you apply the software update for Meltdown. In fact, several researchers claim that Intel deliberately kept the vulnerability open in order to get the slight performance boost over its competitor AMD.