Unless you’ve been living under a rock this past week, you’ve probably heard something about Meltdown and Spectre. These cyber attacks look to exploit a serious flaw embedded in just about all modern processors. Unfortunately, this flaw isn’t limited to personal computers. Smartphones as well as other smart devices are also at risk.
In order to understand how Meltdown and Spectre exploit your system’s processor, you must first understand a key function of modern CPUs: speculative execution. Without going into technical detail, speculative execution can improve CPU performance by predicting the route in which information will travel. This allows the CPU to execute a command in any order it sees fit. This avoids potential bottlenecks that would otherwise increase processing time. In the event that the processor fails to predict the correct route, the command will be rolled back in a way that is invisible to applications. These attacks exploit this function, allowing them to extract information from the CPU’s memory cache. Like a reverse phone number lookup, Meltdown and Spectre can access an unprecedented amount of sensitive information.
Meltdown And Spectre Vulnerabilities
While both of these attacks exploit the same processor flaw, the Meltdown attack causes the greatest amount of concern. This is because Meltdown allows the attacker to access information from the computer’s “kernel” (the central part of the operating system). The kernel essentially acts as a bridge between the computer’s applications and the processing unit. By peering into this location, Meltdown can extract the most sensitive information on a given device. As you can probably tell, an attack that can penetrate this deep into a computer system poses a massive security risk. For that reason, just about every major tech company and manufacturer has issued a patch to address this vulnerability.
Spectre, while still a significant security threat, is a far more difficult attack to execute than Meltdown. Unfortunately, this also makes Spectre more resilient to patches that otherwise address Meltdown. Some researchers believe software updates will not be enough to completely protect our systems from Spectre. Only by developing new hardware without speculative execution can we completely eliminate the threat of Spectre. That being said, it may take years before CPU manufacturers can develop such a chip. Until then, Spectre will continue to haunt our processors.
Another issue regarding these exploits is that no single company can fix either on their own. In order to address these vulnerabilities, processor companies (Intel, AMD), operating system companies, (Microsoft, Apple) and cloud service companies (SAP, IBM) have to work in tandem. So far the efforts of these companies have successfully created a working patch for the Meltdown attack (while still addressing Spectre in some ways).
The Impact Of Meltdown And Spectre
Even though fixes for Meltdown (and in some ways, Spectre) have been released by most major manufacturers, some devices have yet to be patched. For those devices that have fixes available, installing the patches can slow down your computer by upwards of 30%. While the typical user might not notice a slowdown, the same cannot be said for everyone. In fact, many systems that rely on cloud computing are having trouble. For instance, Epic Games, the creator behind the popular shooting game “Fortnite” has had numerous reports of login failure and server downtime since the patches went public. The company has since revealed that a third-party cloud service, responsible for handling the game’s influx of players, is at fault for the issues.
If you happen to be running an AMD chip however, a 30% slowdown is the least of your worries. Many AMD users who have installed Microsoft’s Meltdown and Spectre patch have bricked their entire system. Microsoft seems to be working on a fix for this issue. So we’ll be sure to update this blog when the fix arrives. In the mean time, if you happen to own a device with an AMD chip in it, make sure you disable the Windows auto update feature. Hopefully, as developers learn more about these vulnerabilities, more efficient ways to address Meltdown and Spectre will be found. For now however, we’ll have to settle for slower processing speeds and failed login attempts.