Meltdown, Spectre: here’s what you should know

Jan 8, 2018
Vote on Hacker News
Thunder strikes in the computer world for the new year. Cyber security researchers detected two critical security vulnerabilities: Meltdown and Spectre. They affect just about all processors on the market. If used, these would have devastating consequences. A patch is underway for the first vulnerability. For the second, it might be necessary to change the hardware…
January 2018 starts with bad news: cyber-security specialists discovered two critical vulnerabilities affecting processors – the calculation units of computers, tablets and smartphones.

Vulnerabilities in almost all processors

The first one that was discovered is called Meltdown. It only affects Intel processors. Potentially, this could mean ALL Intel Processors since 1995. It can be dealt with with a patch which is currently deployed.
The second one, named Spectre, is far more dangerous. It affects all processors, whether it be Intel, AMD or based on a ARM architecture. We’re talking almost every computer or smartphone.
Spectre cannot be corrected or patched. At best, those patches can barely lessen the risk.

An access to “many secrets, such as passwords…”

The effects of these vulnerabilities are catastrophic: “at best, the vulnerability can be used by malwares and hackers to exploit other security linked bugs. At worse, the flaw can be used by softwares and authentified users to read the kernel’s memory […] The kernel’s memory is usually hidden and out of reach because it contains all sorts of secrets. Passwords, encryption keys, hidden files… etc” explained journalists from the “Register”.
Meltdown has this name because, if used by cyber-pirates, machine protections are melted. The Operating System can be accessed. Spectre can break the isolation of different apps thus enabling the hacker to access the kernel’s heart without anyone knowing.

This vulnerability affects all computers even the most sensitive

A cyber-attack using Spectre is far more difficult to set up than an attack with Meltdown. But it would be far more devastating. The more an app is secure, the more its protections are known, even the most efficient ones… and the easiest it is to exploit them during such an attack.
In short, a Spectre attack is as efficient as the apps’ protection is. To top this off, it is a hardware flaw therefore it cannot be patched.
And this is where this gets really freaky: this vulnerability probably affects all the computers used in all the administration, bank and insurance servers worldwide. Those servers where information, passwords and critical ID transit. Think about private life, economy, even public safety.

Can changing machine solve the problem?

Good news: there are, still, some corrective, patch and means to limit the impact of the flaw. Bad news: it will reduce the processor’s speed by up to 30%! And here’s the real bad news: to really get rid of these vulnerabilities, it’s most likely that you’ll have to change your machine. This may be the only way to completely get rid of Spectre: a full hardware replacement cycle after processeur makers have changed their manufacturing methods.
Then again, yes, there are patches to the flaws used by Spectre. And their speedy installation is an emergency. For servers, the performance lapses could take a deep toll on efficiency (or security) in data treatment.

Security fixes and patches galore

Cloud services have already deployed patches. Microsoft launched a Windows 10 patch as early as January 3rd. Apple had already offered version 10.13.2 of MacOs, thus correcting part of the problem. A more complete version will soon be available in version 10.13.3: the Linux Foundation devised a kernel patch.
However, this may only be the beginning of this episode. Security specialists will go on protecting machines on the market whilst trying to limit performance decline. Definitely a New Year day hangover the digital world could have done without.
 [Translation: Lisa Korrigane]