What you need to know about Meltdown and Spectre
This year, a group of researchers published a paper about serious vulnerabilities within the majority of the CPUs (Central Processing Units) designed within the last 20 years, by manufacturers such as Intel, AMD, and ARM.
These security issues, also known as Meltdown and Spectre, could potentially affect all the devices that are using modern processors (PCs, smartphones, tablets, but also cloud computing), by allowing malicious programs to access the Kernel memory – the place where critical information, like passwords, credit cards, and other credentials, are stored.
“Hackers can develop small code sequences, called exploits, that help them gain total access to a system after they are run. So basically, they can access absolutely everything”, explained Mihai Apreotesei, Security Expert at Tremend, in an interview for RFI.
Microsoft, Apple, Google and other tech companies already announced they will provide patches on Spectre and Meltdown, but until all these security updates are released, there are some precautions that users can take in order to protect the integrity of their system. Like in the case of avoiding any other random virus contamination of a device, it’s vital to “install all the security patches coming from the operating system, use an antivirus and remain vigilant and never execute software coming from uncertain sources”, advises Mihai Apreotesei.
Some concerns raised that the latest security patches will seriously affect the performance of the processor, slowing down the whole system by even 30%. “In the first phase, indeed, it seems that the solutions will reduce CPU performance. However, for the time being, it is not certain whether these solutions will be able to improve or whether the performance will be permanently affected”, says Mihai Apreotesei.
Also, in a press release on the CPU vulnerabilities, published by Intel, the company states that “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time”.
To find out more about the Meltdown and Spectre vulnerabilities and a possible explanation for how this situation appeared to begin with, listen to the interview with Mihai Apreotesei for RFI, or read the transcript below, to which we have added some more in-depth questions:
Q: Why have these two security issues captured the interest of the public so much?
M.A.: The particularity of Meltdown and Spectre is that not only specific cases have been disclosed, but also new classes of vulnerabilities that exploit aspects of the processors’ microarchitecture. Basically, a new category of vulnerabilities has been exposed.
So even when they work properly and as intended by design, the performance optimization mechanism in modern CPUs have side effects, issues that can be exploited and lead to leakage of information.
Q: Much has been written about how Meltdown and Spectre vulnerabilities will hit PCs, smartphones, and tablets, but less about computers hosting cloud services, and it is assumed that the biggest dangers related to these vulnerabilities are associated with cloud computing (Amazon, Google, Microsoft). What are the possible effects in this area?
M.A.: The main risk for computers hosting cloud services is not the classical virus infection, but the leakage of information.
The impact of information leakage in a cloud system could be major, given the fact that many companies use these services for many complex purposes, such as storing sensitive data or running their business infrastructure. The good news is that the risk of such an event can be reduced by a number of factors. These systems are strictly security-controlled environments, they rapidly deploy security updates in the systems and critical components, do not allow arbitrary code execution (the way in which potential vulnerabilities could be exploited), and the user code is typically limited, for example in server-side applications.
Also, the exploit can be hampered by the fact that in a cloud system, such attacks are easier to detect and stop. And unlike a simple device, where all apps share the system memory, cloud systems are distributed and the execution of a vulnerability exploitation will be limited to the physical drive it is running. The main benefit here is that it will not cover the entire system automatically.
Q: How will users be affected by the fact that the security patches have not yet been universally released, and security breaches have already been announced?
M.A: The worrying issue is how fast Android security updates can be made to phones and tablets because their OEMs have longer delays and difficulties in integrating security updates into the device’s operating system. Also, we’re not talking about a single set of updates that would completely eliminate the vulnerabilities, but a series of patches will continue over time.
R: What do we know so far about these security threats and their effect on our devices?
M.A.: We don’t know all the details about the security threats, precisely for security reasons. The specific issues will be revealed after some security updates will appear in the operating systems. But there is enough information in the media, from which we can deduce what this is about. It seems that there are some issues in the process of manufacturing Intel processors, in terms of implementing performance optimization mechanisms. What is the effect? You can find these so-called “exploits” by which an application can read data from other applications or from the operating system found on other devices. From a security point of view, this is a small disaster.
R: I understand there are a lot of electronic devices affected by these vulnerabilities.
M.A.: We mainly talk about personal computers and, generally, about more complex devices, such as laptops, and less about gadgets.
R: But also phones and tablets.
M.A.: Yes, it is possible, depending on the processor used. Mainly, devices with modern processors.
R: Let’s see, Intel, AMD, and ARM – how much do these types of processors cover out of the total market?
M.A.: They cover a very large part of the market. Basically, the market is divided between these big brands.
R: What kind of information is in danger?
M.A.: In general, system security is at stake. So the whole system can be compromised by these security issues.
R: And how does such a danger, a path through which the hackers can attack, work?
M.A.: The hackers can develop small code sequences, called exploits, that help them gain total access to a system after they are run. So basically, they can access absolutely everything: personal data, passwords, absolutely everything stored in the system, and gives them the possibility to control that system.
R: What can we do to protect our computers, phones, and tablets from these new vulnerabilities? From what I understand, tech companies have announced that they will release some security updates. Is there anything we can do to protect ourselves?
M.A.: Until then, no. The answer is simple and always the same: install all the security patches coming from the operating system, use an antivirus and remain vigilant and don’t execute software coming from uncertain sources.
R: How do these vulnerabilities generally appear? It might sound like a conspiracy theory, but is it possible that they were intentionally placed there? What is going on?
M.A: They are unlikely to be placed intentionally. As a rule, and we can take this case as a notable example, there are small flaws in the design of processors. We could see them as a manufacturing defect. A long class of processor models comes out of the factory with these problems. In this category of problems, unfortunately, there is no solution to remedy the cause. So, as viciously as they are, they can be used only in this state. What is done in these cases is bypassing the problem by modifying the software.
R: Tech companies were talking about some updates that will not solve the problems completely, but will only try to make it harder to access the Kernel memory. In addition, as the first estimates show, the devices would be slowed down by these updates, and this doesn’t sound very good.
M.A.: In the first phase, indeed, it seems that the solutions will reduce CPU performance. However, for the time being, it is not certain whether these solutions will be able to improve or whether the performance will be permanently affected. There were cases in which the processors have been withdrawn from the market due to various problems. Some were not security related, but were related to an incorrect execution of the code.