​​​​​Spectre and Meltdown: the chip flaws leaving the majority vulnerable

Spectre and Meltdown, the two vulnerabilities in the chips of billions of computing devices haunting the Internet.

Unfortunately, 2018 has got off to a rocky start as researchers revealed the bombshell that billions of computing devices owned by individuals and companies are likely to be vulnerable to bugs. Although there are no reports of the bugs being exploited, it’s only a matter of time now that the vulnerabilities have been brought to light in the public domain.

Who does Spectre & Meltdown affect?

Initially, there was confusion over who the affected brands were, due to the fact that there’s not just one vulnerability, but two similar vulnerabilities; named Spectre and Meltdown by their discoverers.

The first flaw to come to light was Meltdown; this is likely to affect mostly Intel chips manufactured since 2010, according to researchers. It would seem that Spectre affects a large number of the Intel, ARM, and AMD processors that have been produced since the 1990s.

Items that could be affected by these flaws are:

·      IPCs (Intel)

·      HMIs (Intel/ARM)

·      Switches (ARM)

·      iPads (ARM)

·      iPhones (ARM)

·      Android devices (ARM)

·      Remote access units (ARM)

In an online Q&A, the discoverers noted that almost everyone is "most certainly" affected by either Meltdown or Spectre, and there is no way to discover whether a hacker has exploited those flaws.

What makes these bugs different?

Unfortunately, these two vulnerabilities are very different from the typical software bugs that regularly occur. Meltdown is an exploit related to reading privileged data from the operating system’s kernel (the core software at the heart of an operating system that controls everything). Spectre is a vulnerability in a feature of all modern CPU architectures designed to speed up processing. While the Meltdown exploit can be “fixed” by immediate patches, it is likely that the Spectre exploit cannot be fixed, only mitigated, without a redesign of the processors. Spectre may indeed be a worry for many years to come.

What’s being done about these vulnerabilities?

Amazon, Apple, Google, and Microsoft are among those that have rolled out immediate software patches over the past few days to address the Meltdown and Spectre bugs. Initial fears were that these patches would dramatically slow down the performance of devices but this doesn’t seem to be as bad as predicted. Intel said in a statement that it "continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time."

What do you need to do?

For the average consumer who uses their devices for general Internet browsing, following best practise procedures such as updating when updates are made available should be effective enough. For businesses, it's a different story. Fixing the problems may prove to be a lot more complex. For now, businesses are encouraged to carry out the following updates / patches:

·      Windows - install the KB4056890 security update

·      Mac system - update to macOS 10.13.2

·      iOS device - update to iOS 11.2 or tvOS 11.2

·      Firefox - update to the latest Firefox 57

·      Google Chrome - watch out for Chrome 64, which will be released on 23 January

·      Download and install the latest software firmware updates from your PC, laptop, motherboard brands. In particular, install the latest driver for the Intel Management Engine (Intel ME), the Intel Trusted Execution Engine (Intel TXE), and the Intel Server Platform Services (SPS)

·      If you are running an ARM processor on Linux, the kernel patches are recommended

Are you worried about how Spectre and Meltdown could affect your business? AAG IT is on hand to offer up to date expert advice on the matter or indeed for any IT problems you may be having. Don’t hesitate to contact us today!