Nonprofit Resources

print

The Meltdown and Spectre Vulnerabilities Explained

print
Details have surfaced about two serious vulnerabilities affecting chips used in almost all devices. Although these flaws were discovered in Intel, AMD, and ARM processors a year ago, the consequences were not disclosed publicly until January 2, 2018.

The researchers who discovered the vulnerabilities, dubbed Meltdown and Spectre, said that “almost every system” developed since 1995, including computers and phones, is affected. The researchers verified their findings on Intel chips dating back to 2011 and released their own proof-of-concept code to allow users to test their machines.

Meltdown largely affects Intel chips as far back as 1995, while Spectre is more on the ARM (smartphones) and AMD chip side. The issue with the flaws is extremely dire, from a technical standpoint.

The risk with Meltdown is that anything that runs as an application could potentially steal your data, including simple things such as JavaScript from a web page viewed in a browser. The Google team that discovered the flaws noted that this affects essentially anyone who uses a personal computer.

Spectre is a little more complicated to exploit, and although it affects all central processing units (CPUs), it is more focused on ARM and AMD chips. As this flaw uses a different approach for execution, it’s not clear there are hardware solutions to this class of problems for anyone.

Google, Apple, Intel, and AMD have been working quietly together on patches deployed this week and for upcoming release. There has not yet been a coordinated attack performed with the flaws. However, because the flaws affect inherent designs in the chips, without a complete recall of every chip in the world the vulnerabilities will remain for years as Intel and AMD will not discontinue the chip manufacturing that the flaws are targeting to begin with.

Experts anticipate hackers will quickly develop programs to launch attacks now that the information is available.

So what can you do? Here’s what to be aware of now:

  • Apple is essentially advising everyone to update every Apple device they own
  • Android devices running the latest security update, including Google’s Nexus and Pixel smartphones, are already protected
  • If your organization uses AWS, Google Cloud, or Azure cloud services, watch for updates, as cloud services rely on the architecture of these chips

While the vulnerabilities can be patched against, there is no one way to determine if the flaws have been used against you as they do not leave trace logs behind after exploitations.

Reports have noted quite a few serious performance impacts patching will have on computers. Some early estimates predict up to 30% to 43% slower performance in some tasks. Whether users will notice a difference on their computers will depend on the task they are trying to do. Gaming, browsing, and general computing activities are unlikely to be affected, but significant degradation post-patch has been reported for those activities that involve video editing or web servers (which is millions of activities). However, slower performance is worth the reduced risk of a breach of your personal information or your organization’s data.

Please contact cybersecurity@capincrouse.com with any questions about this or other cybersecurity issues.

Lisa Traina

Lisa is a partner at Traina & Associates, a CapinCrouse company. She uses her more than 30 years of experience to assist organizations in implementing measures to secure data and manage risks efficiently and effectively. She is a nationally recognized speaker and author, and serves on the AICPA Cybersecurity Task Force. Lisa founded Traina & Associates in 1999 to provide IS security services to a broad range of industries. Traina & Associates joined CapinCrouse in January 2017.

Leave a Comment