Meltdown, Spectre chip flaw impacts all devices……
Meltdown and Spectre are two processor level flaws that security researchers have highlighted. These impact nearly all modern processors used on computers, smartphones, tablets. Windows, Linux, iOS, MacOS, tvOS, Android and nearly all operating systems are impacted by these vulnerabilities. Here’s everything you need to know about Meltdown and Spectre, and what can you do to keep your PC or device protected for now.
What is causing the security flaw on all modern processors?
According to researchers, the issue is due to a performance feature called ‘Speculative execution’ present on nearly all modern processors. This exists to optimise performance and as the term indicates, the computer is guessing which command or path will be taken next. If the prediction is wrong, then the execution is rolled back. The problem is that this “Speculative execution” also relies on access to privileged ‘kernel memory’, which is supposed to remain protected.
However, Google’s Project Zero report has also pointed out in order to successfully exploit the vulnerability, the attacker will still need access to the machine and should be able to run a malicious app or code on the concerned machine. According to Apple, unless a malicious app is running on the iOS or MacOS device, the vulnerability cannot be exploited.
What is Meltdown vulnerability? Which processors are impacted?
Meltdown enables a program to read the protected kernel memory, which should ideally be a strict no-no. Meltdown is believed to impact only Intel processors. It is so named because it ‘melts’ boundaries, which should ideally remain around the protected memory. Also the exploits are present on nearly all Intel processors produced in the last ten years or so, (from 1995 onward) which is a huge number considering the company powers a majority of the world’s PCs, etc. Firmware updates for hardware will also be needed to fix this problem.
What is Spectre? Which processors are impacted?
Coming to Spectre, according to the Security Researchers, this “exploit break down isolation between different applications.” The good news is that Spectre is harder to execute compared to ‘Meltdown’, but that also means the problem is harder to fix. According to the researchers, this “allows an attacker to trick error-free programs” and leak their secrets. “Safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre”, adds the website for Meltdown and Spectre.
The really worrying aspect is that Spectre impacts every single known device. AMD, Intel and those based on ARM architecture (all smartphones, wearables, etc are on this) processors are all affected. Effectively, this includes your smartphone, laptop, be it a MacBook Pro or an old Windows PC. CVE-2017-5753 and CVE-2017-5715 are the official references for Spectre.
Has anyone used the methods to actually attack computers?
Most companies like Apple, Google, Intel, Microsoft insist they have not found actual proof of Meltdown or Spectre being used to attack consumer devices. But Google’s Project Zero team was able to show this kind of attack in action. Google’s team showed how a virtual machine exploited the vulnerability to take over the host machine and then another virtual machine, which means this flaw can actually impact entire server networks. According to Apple, Meltdown has the most potential to be exploited.
Intel also admits security researchers did successfully demonstrate “a proof of concept.” So yes, in theory the attack is possible and researchers showed exactly how this can be done. Intel admitted it was able to “replicate the findings.” However, the company says it is “currently aware of any malware based on these exploits.”
The problem is that once an exploit is confirmed to the world, it puts a lot more people at risk, especially since not every user might update their computer, smartphone, etc. Some devices are no longer supported for updates, which makes it very difficult for users to protect themselves against these new vulnerabilities.
For instance with Android, Google’s Security blog says, “devices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.” Except that most Android devices, especially budget ones, are not on the latest security update (Google has monthly security patches).
This means a lot of users are at risk from malicious apps that can try and carry out these attacks. To be clear, this problem goes beyond one operating system or processor. So unless vendors push out security updates for every single user, this will remain a serious problem.
So how can I protect my PC or smartphone from this Meltdown or Spectre? What updates have been rolled out?
Windows 10 has automatically got updates for fixing the problem. According to The Verge, check for Microsoft update KB4056892 on your Windows 10 PC. This was pushed on January 3, 2018 and should have automatically got installed on your PC. However, for Windows 7 and Windows 8 users, the updates will come next Tuesday. Some firmware upgrades will be required to protect the PC.
In Apple’s case, it has released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. It will also release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.
For those using Chrome browser, they need to update to the latest version which will release on January 23. Google Chrome 64 will contain mitigations to protect against exploitation. With Chrome OS, Google says some versions are no longer supported and these are definitely at risk. According to the support page, ChromeOS versions prior to 63 are not patched, so those are at risk. Coming to the Firefox browser, users need to be on version Firefox 57.0.4 to ensure they are protected against the attacks. Additionally anti-virus software will also have to be updated against the attacks, and programs like Avast, Avira, BitDefender have pushed the fix to customers.