What is Meltdown/Spectre and How Does it Affect You?

Worried about the CPU vulnerabilities being reported in the news? Our contributor Jesse Schooff has the low-down on Meltdown/Spectre, and how you can protect yourself.

If you’ve glanced at any technology news this week, you probably already know that the tech world has been rocked by a pair of new, major security vulnerabilities. One of these two vulnerabilities affects not just Intel processors, but nearly every CPU made in the last 20 years.

The vulnerabilities are serious, their explanations complex, and their ramifications have shaken the technology industry to its core. That said, it’s also important that everyday users have some sort of primer on how these bugs will affect them, and what kinds of things users can do to protect themselves.

What is Meltdown/Spectre?

Meltdown and Spectre are security vulnerabilities which exploit a feature in many modern CPUs called speculative execution. 

Imagine that every morning and evening, your roommate and/or significant other asks you to make tea. “Could you put on the kettle?” they ask, and so you do. As a routine develops, you begin to predict their next requests. If it’s morning, they’ll ask you to get down the black tea. If it’s evening, they’ll ask for a decaffeinated, herbal tea. Instead of waiting for your partner to issue individual requests every time, (put on the kettle, get down some black tea, grab us some teacups, etc) you start to anticipate their requests in the name of expediency. The result being that if they ask you to put on the kettle in the morning, you know that they’d like you to make some black tea, with sugar, in teacups for the both of you.

For the last two decades, computer processors have been doing something similar. The advantage to speculative execution is that if a program or operating system asks the CPU to do something it has already anticipated, the CPU can deliver the results immediately. If asked to do something unexpected, the CPU merely discards its predicted results and carries out the new instructions instead.

The problem — as security researchers from Google discovered last year — is that by measuring how long it takes for a CPU to process individual instructions, a sneaky program can make very good guesses about what other instructions have recently been executed. With enough time and data gathering, the sneaky program can build a map of what’s in the computer’s memory, including the memory used by the kernel — the core of the OS. This could include passwords, encryption keys, and other highly-sensitive data.

That in turn could allow an attacker to take control of your device, or decipher your encrypted communications — both very bad possibilities. 

How Could it Affect Me?

While the seriousness of these vulnerabilities cannot be understated, the good news is that there’s a good chance you’ve already installed a security update that has partially patched the Meltdown vulnerability. Security researchers and vendors have been furiously working in secret over the past two months (not wanting to go public with the vulnerability until it was mostly fixed). Recent security updates for current versions of Linux, macOS, Windows, and iOS have all included patches to prevent this kind of attack. 

Unfortunately, it remains doubtful that we’ll be able to patch OSes to fully protect against the Spectre vulnerability (so whimsically named because the speculative execution bug may haunt us for a long time — har har). Worse, it’s been demonstrated that a Spectre attack can be leveraged using a Javascript in a web browser.

Because you can’t patch a CPU, and because we can’t throw away all our devices tomorrow, we’ll have to remain at a heightened-vigilance about our computer security. 

ACK! What Do I Do Now?

First, take a deep breath. Maybe make yourself a pot of tea, if you haven’t already done that.

The best course of action available is mostly the same advice IT pros have consistently given, but which bears repeating:

Install Software Updates!
This is always good advice, and right now, more important than ever. If you haven’t installed the latest security patches on your computer/mobile device from the last several weeks, chances are you’re vulnerable. Go fix this right now.

Mind What Sites You Visit
The fact that Spectre — an unpatchable, kernel-security flaw — is able to be leveraged by the 

javascript on a web page, is terrifying. More than ever, users should be wary of websites they don’t trust (close your tabs, already!). Web browsers will help protect against Spectre attacks by randomly varying the execution timing of javascripts, but only if you’re using the latest version of a modern browser (see previous point of advice).

Get Vigilant – Stay Vigilant
If someone tells you, “This attack can only be executed locally, so you have nothing to worry about,” that person is not giving you completely accurate advice.

Hackers use exploits in combination for the best leverage against your device’s security defenses. For example, a program might employ one bug to install a script on your machine, and then use Spectre to read the admin password from memory, which in turn would allow the script to seize control of your machine.

The only way to truly defend against Spectre is to make infosec-awareness part of your everyday life. I have already written a pair of articles which are good primers on personal digital security. For more in-depth, step-by-step info, the Electronic Frontier Foundation has an excellent and user-friendly Surveillance Self-Defense website.

As renowned technologist and computer security expert Bruce Schneier points out, these vulnerabilities exist because, in a rush to make computers faster, we didn’t consider the security ramifications of our innovations. Meltdown/Spectre, and the many, MANY serious infosec incidents of the past year have demonstrated that everyone — from ordinary users to CPU engineers — need to start thinking about computer security first, and consider it carefully.

(Note: This is a simplified explanation intended for average human beings to digest. If you’re a techhead looking for an expanded analysis on the differences between Meltdown and Spectre, or details on how the tech industry is responding, Ars Technica has an excellent rundown of Meltdown/Spectre on their site.)

Jesse Schooff is a veteran IT professional and technical communicator. As a volunteer blogger for OpenMedia he specializes in issues of privacy and information security. You can find more of his writing at geekman.ca