Spectre and Meltdown: Security advisory for the rest of us - 5 January 2018
Post date: Jan 5, 2018 4:44:00 PM
By Sanjana Hattotuwa
What the hell is going on?
News reports, various technical advisories and Google Project Zero researchers have flagged, over the past few days, two major security risks for hundreds of millions of users of computers, smartphones, tablets and other computing devices. The security risks impact CPUs (the main computing chip) made by the two big names - Intel and AMD - as well as a lesser known, but specialist CPU maker called ARM.
What is the risk?
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Think of it like every car ever sold in recent years, having a problem at the very heart of its engine. It’s a microscopic misalignment that for years and for millions, will not be an issue. But it is a fault nevertheless that at certain speeds, over a certain mileage, and in certain temperatures, will cause the car to stall, and you to lose control. The CPU is like the heart of a computing device.
Spectre and Meltdown impact the very core of what you are reading this on right now, and there is no easy fix.
What’s the best reporting on the issue?
Here’s a good piece in The Guardian. A New York Times article outlines simply and clearly how serious the issue is. For those who are over quota and don’t have a subscription, PDF of article here. As NYT notes,
According to the researchers, the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations... There is no evidence that hackers have taken advantage of the vulnerability — at least not yet. But once a security problem becomes public, computer users take a big risk if they do not install a patch to fix the issue. A so-called ransomware attack that hit computers around the world last year took advantage of machines that had not received a patch for a flaw in Windows software. The other flaw, Spectre, affects most processors now in use, though the researchers believe this flaw is more difficult to exploit. There is no known fix for it, and it is not clear what chip makers like Intel will do to address the problem.
There is a comprehensive, relatively easy to understand guide to the issue at https://spectreattack.com
What’s possible by exploiting these flaws?
See this tweet by Edward Snowden, which has an embedded video that shows how, when using a computing device by a CPU manufactured by Intel, AMD or ARM, it is possible for an extremely skilled hacker to gain access to privileged, private information like a password.
Who has said what?
AMD’s statement can be read here. It’s quite informative. Intel’s response, roundly criticised for being dismissive and irresponsible, can be read here. ARM’s, here - which has been widely acknowledged as the best response.
There’s confusion all around. Intel, most probably driven more by protecting its share price over customers, doesn’t want folks to panic and think that the fix to the problem will actually make all computers slower (which is very likely, but equally likely to be imperceptible to the average end user).
Apple and Microsoft have also issued statements, as well as software patches to address, as best they can for the moment, these significant new risks.
Who is affected?
If you are using an iPhone, iPad, running a Mac or a PC, running any operating system (macOS, Windows or Linux), you are affected. Basically, that means everyone who owns or uses any sort of computer, smartphone or tablet.
Are the Russians or the Rajapaksas behind this?
No. The technical fault lies solely with CPU manufacturers. The Russians and Rajapaksa’s, in fact, are also affected.
Will I lose my data and job tomorrow?
Because everyone is subject to this security risk, the fixes, to the extent possible, will also be prioritised. This is why updating your device and PC is important. It is extremely unlikely you will be targeted. Both exploits at the CPU level are extremely difficult to execute - which simply put means the effort isn’t worth it, for now and for the majority. Your data on the cloud and on your hard drive, smartphone or tablet is safe, since all major cloud service providers are taking these risks seriously and will in the next few days, if not already, take measures to address the fallout.
What should I do?
Update. Everything. Now. Seriously, do it now - these are critical updates. Repeat next week, as more critical updates are rolled out by CPU manufacturers and also by Microsoft, Apple and others. Repeat regularly in the future, because the best and often line of defence against all risks, Spectre and Meltdown included, is to keep your computer, smartphone and tablet operating system updated - and this includes all apps and programmes.
What not to do?
Don’t click on unknown links on the web, at any time, including over and on Facebook, Twitter, WhatsApp, Viber, Skype or any other online space or mobile app.
Do not click on any attachment, even if it comes from family, loved ones, colleagues, your boss or friends, if it looks suspicious and not really in line with your usual tone or frequency of communication with sender.
Do not download apps outside of Android Play Store, iTunes, or reputed makers of trusted software.
Do not ask the deity of your choice to protect you, and do nothing. Update first. Then pray, if you must.