Home / Tech News / Meltdown, Spectre security flaws impact all processors: What it means, what’s the fix and more

Meltdown, Spectre security flaws impact all processors: What it means, what’s the fix and more



Written by Shruti Dhapola
|

Published: January 5, 2018 10:31 am


Meltdown and Spectre are two processor level flaws impacting all devices from Intel, AMD, ARM, etc. (Image source: Screenshot from Meltdown explainer website)

Meltdown and Spectre are two processor level flaws that security researchers have highlighted. These impact nearly all modern processors used on computers, smartphones, tablets. Windows, Linux, iOS, MacOS, tvOS, Android and nearly all operating systems are impacted by this vulnerability. Here’s everything you need to know about Meltdown and Spectre, and what can you do to keep your PC or device protected for now.



What is causing the security flaw on all modern processors

According to researchers, the issue is due to a performance feature called ‘Speculative execution’ present on nearly all modern processors. This is exists to optimise performance and as the term indicates, the computer is guessing which command or path will be taken next. If the prediction is wrong, then the execution is rolled back. The problem is that this “Speculative execution” also relies on access to privileged ‘kernel memory’, which is supposed to remain protected.

This can be exploited by malicious programs to access the kernel memory, which includes crucial data like passwords, encrypted information, etc. These vulnerabilities also allow an attacker to use the Javascript running in the web browser to access protected memory, according to researchers. However, Google’s Project Zero report has also pointed out in order to successfully exploit the vulnerability, the attacker will still need access to the machine and should be able to run a malicious app or code on the concerned machine. According to Apple, unless a malicious app is running on the iOS or MacOS device, the vulnerability cannot be exploited.

Meltdown, Intel, Intel bug, Intel Meltdown, What is Meltdown, What is Spectre, What is Intel security flaw, Apple, Google, Google Project Zero Meltdown enable a process to read the protected kernel memory. This is an exploitation technique known as CVE-2017-5754. (Image source: Bloomberg)

What is Meltdown vulnerability? Which processors are impacted? 

Meltdown enables a program to read the protected kernel memory,  which should ideally be a strict no-no. This is an exploitation technique known as CVE-2017-5754. Meltdown is believed to impact only Intel processors. It is so named because it ‘melts’ boundaries that should ideally remain around the protected memory and are enforced by hardware. Also the exploits are present on nearly all Intel processors produced in the last ten years or so, which is a huge number considering the company powers a majority of the world’s PCs, etc. Firmware updates for hardware will also be needed to fix this problem.

What is Spectre? Which processors are impacted? 

Coming to Spectre, according to the Security Researchers, this “exploit break down isolation between different applications.” The good news is that Spectre is harder to execute compared to ‘Meltdown’, but that also means the problem is harder to fix. According to the researchers, this “allows an attacker to trick error-free programs” and leak their secrets. “Safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre”, adds the explainer page for Meltdown and Spectre.

The really worrying aspect is that Spectre impacts every single known device. ARM, AMD, Intel processors are all affected, which means your smartphone be it the iPhone or the Redmi Note 4, your laptop, be it a MacBook Pro or an old Windows PC. CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre and as the researchers there is no ‘easy fix’.

Meltdown, Intel, Intel bug, Intel Meltdown, What is Meltdown, What is Spectre, What is Intel security flaw, Apple, Google, Google Project Zero Most companies like Apple, Google, Intel, Microsoft insist they have not found proof of Meltdown actually being used to attack consumer devices. (Image source: Reuters)

Has anyone used the methods to actually attack computers? 

Most companies like Apple, Google, Intel, Microsoft insist they have not found acutal proof of Meltdown or Spectre being used to attack consumer devices. But Google’s Project Zero team was able to show this kind of attack in action. Google’s team showed how a virtual machine exploited the vulnerability to take over the host machine and then another virtual machine, which means this chip level flaw can actually impact entire server networks. According to Apple, Meltdown has the most potential to be exploited.

Intel also admits security researchers did successfully demonstrate “a proof of concept.” So yes, in theory the attack is possible and researchers showed exactly how this can be done. Intel admitted it was able to “replicate the findings.” However, the company says it is “currently aware of any malware based on these exploits.”

The problem is that once an exploit is confirmed to the world, it puts a lot more people at risk, especially since not every user might update their computer, smartphone, etc. Some devices are no longer supported for updates, which makes it very difficult for users to protect themselves against these new vulnerabilities.

Meltdown, Intel, Intel bug, Intel Meltdown, What is Meltdown, What is Spectre, What is Intel security flaw, Apple, Google, Google Project Zero Windows 10 has automatically got updates for fixing the problem. Representational Image. (Image source: ThinkStock)

For instance with Android, Google’s Security blog says, “devices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.” Except that most Android devices, especially budget ones, are not on the latest security update (Google has monthly security patches).

This means a lot of users are at risk from malicious apps, and to be clear this is beyond Android. So unless vendors push out security updates for every single user, this will remain a serious problem.

So how can I protect my PC or smartphone from this Meltdown or Spectre? What updates have been rolled out? 

Windows 10 has automatically got updates for fixing the problem. According to The Verge, check for Microsoft update KB4056892 on your Windows 10 PC. This was pushed on January 3, 2018 and should have automatically got installed on your PC. However, for Windows 7 and Windows 8 users, the updates will come next Tuesday. Some firmware upgrades will be required to protect the PC.

In Apple’s case, it has released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. It will also release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.

For those using Chrome browser, they need to update to the latest version which will release on January 23. Google Chrome 64 will contain mitigations to protect against exploitation. With Chrome OS, Google says some versions are no longer supported and these are definitely at risk. According to the support page, ChromeOS versions prior to 63 are not patched, so those are at risk. Coming to the Firefox browser, users need to be on version Firefox 57.0.4 to ensure they are protected against the attacks. Additionally anti-virus software will also have to be updated against the attacks, and programs like Avast, Avira, BitDefender have pushed the fix to customers.

For all the latest Technology News, download Indian Express App

© IE Online Media Services Pvt Ltd



Check Also

Reliance Jio’s ‘More than 100% cashback’ offer: Here are the details

By: Tech Desk | New Delhi | Published: January 16, 2018 2:45 pm Reliance Jio’s …

Leave a Reply

Your email address will not be published. Required fields are marked *