Meltdown and Spectre – What you need to know

Tweet

Posted on: 18 January 2018
By: wolfeg
No Comments »
Filed under: Uncategorized

This month our Information and IT Security Officer, Graeme Wolfe, looks at two new security vulnerabilities that have made the headlines over the New Year.

You may have seen or heard the names Meltdown and Spectre in the news and thought they were just titles of the latest action adventure films. In reality they are serious security flaws in the way that computer chips, Central Processing Units (CPUs), and Graphics Processing Units (GPUs) handle sensitive data like usernames and passwords, and encryption keys for secure web connections.

The problems lie with the design of the chip’s hardware and the way it handles data. Affected chips from Intel and AMD are in desktops, laptops and some tablets and affected chips from ARM are in most smartphones and tablets.

Meltdown and Spectre are both processor-level vulnerabilities that make it potentially possible for code running in user-mode – which might include malware or even malicious JavaScript served through rogue adverts on web sites or the like – to read from portions of protected kernel memory, an area hosting passwords, login cookies and other secrets, or other portions of memory it should be blocked from accessing.

The vulnerabilities have been rated as ‘Critical’ and affect just about every computer or device with a chip in them that was made since 1995! This includes ALL brands and makes of devices. So whether you have a Dell, HP or an Apple Mac, an iPhone or Android, even those of you out there running Linux, you are all likely to be affected by this. It has even affected all the major ‘cloud service providers’ such as Google, Amazon and Microsoft.

All the major companies in this field have been working on solutions to fix the problem since the middle of last year. There are a number of security patches that have been released to fix the issue with Meltdown, which mainly affects Intel CPU’s. The Spectre issue is looking harder to fix though.

You may also have heard that the patches are claimed to slow down machines by up to 30 per cent and if you do a lot of processor intensive ‘data crunching’, or play a lot of immersive games, then you may see a slowdown in performance. For most of us who just send messages, email and surf the web, we are unlikely to notice much of a change. I have updated my phone and all my other devices already and haven’t noticed any dramatic change in performance.

There are currently no specific tools that can exploit either of these flaws, but now the research is out in the open, it will only be a matter of time before ‘off the shelf’ exploits are made available to the hacking and criminal community.

The solution, as always, is patch! patch! patch! Additionally you should ensure your browser is running the latest version as well. As an example Google, Amazon, Microsoft and Apple all patched their cloud offerings to correct the Meltdown vulnerability as soon as they were available. They know how important this is. So you should check and see if there are updates available for your device(s) as well.

Do not put off installing any patches from your product supplier and make sure that you shut down / switch off your device when you have finished using it. Most patches will not be applied until the device is restarted. Just closing the lid on your laptop is not enough.

Graeme Wolfe

Information and IT Security Officer

18/01/2018