The Dangerous Meltdown and Spectre CPU Bugs Explained
With the advancement in technology the risk of your personal information getting into wrong hands increases as well. We have already seen some latest risks in the last few years from which big companies like Apple even were not even able to escape. In case you think you are safe, the problem is as deep as the processor in your CPU. Right now the Silicon Valley is suffering from two such vulnerabilities named, ”Spectre” and “Meltdown”.
This time the hackers are trying to get access to your private information via different processors coming from the ARM, Intel as well as AMD. Google discovered these vulnerabilities last years, but it was revealed and pushed by them publicly recently. The Spectre and the Meltdown take advantage of the same vulnerabilities to grab the personal information from your system’s memory directly. The secure information that they can get is your password, the application information as well as the encryption keys.
The biggest thing here is that almost every laptop, smartphone, PC, and tablets are under the range, doesn’t matter your device is running on-chip made from manufactured by any company. Even the operating systems cannot save you this time, as the vulnerability is not at all dependent on it. However, in order exploit the vulnerability, the hacker needs a specific set of pre-requisite which includes a malware running on your device as well. If you have got a good antivirus software installed, it can catch any malware and delete it before it does it work. Still, the danger is not just theoretical, a hacker could achieve it.
The problem does end here as well. We said, the Spectre and Meltdown vulnerabilities are related to the processor chip, that means it can even affect a lot of other gadgets as well apart from our personal devices. We could face serious problems if hackers find their way into processors used in running data centers and cloud servers. Some big names like Amazon Web Service, Google Cloud, and Microsoft Azure could also get affected by the vulnerabilities. If the condition as optimum, the users can even steal data and information from other cloud users.
The good news here is that companies have already been working on the updates and patches to fix these vulnerabilities. Let us talk a bit in more detail about Meltdown and Spectre in the further section.
Meltdown is the vulnerability that badly affects the Intel-manufactured chips. This is because the processor makes use of speculative execution tactics that works fairly aggressively. Also, the speculative execution allows the CPU access to kernel memory as well.
“On affected systems, Meltdown enables an adversary to read the memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer.”
If you do not know much about speculative execution, it makes the chip to predict the future move of the process so that it can work faster than normal. If it has the hint about the algorithm of a particular program, it will start working out its own equation to get early results even before the program asks it to actually work on it. Let us give you an example. Let’s say you have a function that does computation A if the condition is true else it computes the code B. Now, the chip does both the computations in parallel even before it knows whether the condition is true or false. Once the condition is determined, the CPU has already done some of the computation and thus takes less time in producing the result. In another case, let’s say that the CPU knows that the user uses a particular function frequently, it might pick up solving the function in its idle time so that it knows the outcome and next time the user runs the same function, it could give out the result immediately. You don’t even ask the CPU to solve the function still it does to make the processing faster.
The processor does check for the invalid memory access, but that occurs after speculative execution. So, all the invalid branches it gets do not get executed, but there is a possibility that the hacker can try to extract data from these blocked branches as well as the affected cached blocks.
The company is trying to fix it via various OS patches in Linux, Windows, and MacOS. The official PDF on the Meltdown vulnerability says that the patches are working fine on various operating systems for a start. However, the problem cannot be fully fixed from the software patches.
Meltdown is not that scary as Spectre is. The Meltdown vulnerability can be avoided in one or the other way using the software patches. But Spectre is way more serious than that. It is a name that is given to the attacks that “involve inducing a victim to speculatively perform the victim’s confidential information via a side channel to the adversary.”
Unlike Meltdown, Spectre has a completely different method of attacking the information. Using the Spectre vulnerability the hacker can make any program running on your PC export some of the running data that could be even confidential. However, pulling it out takes a lot more information on the inner workings of the program on which user is working on. But the hackers can inflict any processor out there running on any device.
Why are Meltdown and Spectre Vulnerabilities so Dangerous?
Both the vulnerabilities are really very dangerous from the privacy point of view. A person can just write a piece of code on a website and then use the Spectre vulnerability to trick the internet browser and transfer your username and password to the hacker. The Meltdown, on the other hand, can be used by the hackers to view you’re as well as other user’s data even on the virtual servers that are hosted on the hardware running on the same processor. If this is made possible, it would be disastrous for the cloud company and the users.
The Spectre and Meltdown Software Patches
It would be right to say that the main vulnerabilities lie in the fundamental hardware level and is very hard to fix using different software patches. Still, most of the wonders have released different software security updates that could handle the problems in the better way to make them secure and non-vulnerable to the hackers. There was a KAISER patch that was developed by the Linux security last year which had a side effect, which turns out to be the solution to Meltdown problem as well. Looking at it, a lot of cloud vendors have already patched their servers with similar updates. The companies that are constantly making advancement on it include Apple, Google, Intel, and Microsoft. In addition to that, we also recommend you to keep your security system updated as well as the internet browsers.
In case you are using old systems like Windows XP or old smartphones running on old Android version, your device might not be patched. Obviously, it is impossible to patch each and every smartphone in the world.
The first patch was released by Microsoft on January 11, 2018, where they patched most of the systems running Windows 7 as well as the Internet Explorer and Edge browsers.
Next was Apple to come up with a patch for Macs. It was released for the MacOS, tvOS as well as iOS operating system and Safari browser on January 3rd, 2018.
Google also released a list of Chromebooks which have been patched with the new update and that which will be patched soon. They also released another list containing models that won’t be receiving the patch.
The Firefox developers have released a patch for their browser on January 23, but it is still in the beta phase.
As for the Android users, if you are using a phone from Samsung or Google, your devices are mostly patched or soon with be patched. We can’t say much about the other manufacturers. It is possible that most of the Android devices might remain unpatched.
Does the new Patch Update affect the Performance?
The patches that the machines have been receiving an alert of mitigating the vulnerabilities by altering the way your system uses speculative execution or disabling its use. It also affects the way your system has been using the caching feature by the hardware. Well, the speculative execution was one of the features that make your system work fast. And without it and altering its normal working reduces the performance of your system by 10 to 30 percent.