Everything You Need to Know About Spectre & Meltdown

Last week, security researchers revealed two major software vulnerabilities that, in one way or another, affect just about anything with a processor. The flaws, called “Spectre” and “Meltdown,” can potentially allow hackers to steal encrypted passwords as you type them in. If Spectre has you spooked, read on to learn more about these vulnerabilities and what’s being done to fix them.

What are Spectre and Meltdown?

Both Spectre and Meltdown refer to variants of the same vulnerabilities, all of which many researchers are considering catastrophic due to their widespread nature. And, they’ve been given names to match the extent of their impact. Spectre refers to a root cause, or to something that is difficult to fix (and will haunt us for years to come!). Meltdown is used to describe the “melting of the security boundaries” that is occurring, since the bugs make the usual protections from hardware unenforceable.

The vulnerability was originally thought to only impact Intel chipsets. However, it’s far more complex and widespread: nearly all systems are affected, from desktops and laptops to mobile devices, across Intel, AMD and ARM processors. All memory data from running apps is potentially vulnerable: password managers, photos, documents and more. As one researcher told ZDNet, “an attacker might be able to steal any data on the system.”

Essentially, each vulnerability is a security flaw in nearly every processor built in the last 20 years. This means a vast number of systems – all those built with Intel, ARM, or AMD processors – will require a security update. The bug itself is linked to how regular apps and programs “discover the contents of protect kernel memory areas.” In operating systems, kernels act as the core component; tying together applications and data processing, memory and hardware. The flaw in the affected processors may allow hackers to maneuver around the processor’s kernel access protections, making the contents of the kernel’s memory vulnerable.

Just how bad is it?

The initial focus of the patches has been on personal devices. Numerous patches are already available, but researchers are still investigating the effect Spectre may have on cloud services, where several organizations are sharing the same resources. There’s been some speculation about data vulnerabilities—where one cloud tenant may be able to access the data of another.

Consider the impact, across the cloud, with privilege escalation. The reality is, data could be stolen in any instance where tenants share the same chip in services such as Amazon Web Services (AWS) or the Google Cloud. Small to mid-size organizations are especially vulnerable here, since so many of them run their entire businesses on shared cloud services.

Regarding your personal computer, this is when a hacker could leverage Spectre essentially take over your entire computer. But before you panic, remember, there are other ways a hacker could do this today (without these newly discovered vulnerabilities), so frankly, it’s up in the air as far as how much your risk has increased.

What’s being done about it?

Software patches have been released one after the other to help reduce the risk. Microsoft released an emergency patch January 3 and Intel is issuing updates for all types of processors, starting with those new in the last five years. Apple has released three updates to protect Safari and WebKit. And, cloud service providers, such as AWS and Microsoft Azure, are all deploying patches as well, while they wait for third-party patches to roll in to complement their efforts. But to truly reduce the risk, updates will need to be released across all vendors, from Intel and AMD to anti-malware vendors whose software needs to work appropriately with the new patches.

There’s been much discussion among IT professionals about the impact that these updates and patches could have on system performance. Some speculate it could cause systems to dramatically slow down, and others say that if Intel processors are using Skylake or more recent architecture, the impact will hardly be noticed. If organizations do experience a noticeable slowdown in performance, it’s likely they are using older processors.  

What you can do about it

There’s a few things you can do now to mitigate your risk. The following steps will help shield you from the Meltdown variant:

• If you use Chrome or Firefox, update to the latest versions on January 23.
• In the meantime, for Chrome users, here’s an easy workaround: copy and paste “chrome://flags/#enable-site-per-process” into your browser, and click “Enable.” Site Isolation loads each individual website as a separate process, preventing other remote connections from hijacking otherwise safe sites.
• Be diligent about your Windows updates. Make sure update KB4056892 is installed.
• Regularly check with your PC manufacturer’s website to see if they’ve released any news or firmware updates.
• Wait and install third-party updates as they become available.

We know many of our clients are anxious about Spectre and Meltdown. We will continue to keep you posted as updates roll in. In the meantime, please contact us if you have any questions or concerns.