It seems to happen more and more frequently, a new vulnerability is publicized and everyone rushes to patch their computers and devices. This time, it’s two different, but very closely related, vulnerabilities, Spectre and Meltdown. Normally these vulnerabilities are software based. A bug in Internet Explorer, a back door in Microsoft Office, an exploit in Adobe Flash. Today we’re looking at something quite a bit different, Hardware Vulnerabilities.
What Is Spectre and Meltdown?
On January 3rd, 2018 several researchers, including Google’s Project Zero team, found that a design used in chips from Intel, Arm, AMD, and other manufacturers can allow access to data that should be secure. This data should be on the CPU itself and not available to any other processes. The problem lies in “Speculative Execution”, the process that chips use to make an educated guess about what it needs to do in the next operation. During Speculative Execution, the processor is making the information required for the next operation briefly available in a less than secure manner. If you want to know more about Speculative Execution, here is a PDF from Intel: Intel Analysis of Speculative Execution Side Channels.
The Spectre exploit allows hackers to convince the processor to initiate the Speculative Execution process.
The Meltdown exploit allows the hacker to access the Speculative Execution information from the operating system.
Both Windows and Mac are affected, because both Windows and Mac devices are built around the affected chips.
How To Fix Spectre and Meltdown?
The Fix for the Meltdown and Spectre vulnerabilities involves both software patches and hardware patches. Microsoft has released updates for all currently supported operating systems. On your home computer, if you regularly installs Windows Updates, you should have already received the patch from Microsoft. You can always check by running Windows Updates manually. If you’re in a business environment, you have likely received the Microsoft patch through your company’s Patch Management Program.
Now comes the hard part, the hardware patching. Intel initially released a set of updates for their affected CPU’s but they have proved problematic and have since been pulled by Intel. The initial Intel updates were causing spontaneous reboots and therefore data loss on affected machines. It was bad enough that Microsoft issued an emergency patch on January 29th to disable the Intel patches. Latest word is that Intel is working on a fix and should have reliable patches available soon. Intel’s newest info is available here: Facts About The New Security Research Findings and Intel Products
Most CPU chips from roughly the last two decades are affected by these exploits, it’s not just Intel. Finally, it’s not limited to Computers, you will need to install updates on your Smart Phones, Tablets, some Routers and Networking equipment, and other internet connected devices.
We’re working on a comprehensive post to give you specific instructions for your devices, stay tuned.