Two newly discovered vulnerabilities have been getting a lot of press recently. Much of it has been quite sensationalistic, due to the nature of the underlying issues.
The flaws are in hardware design — specifically the CPU — and not just one CPU, but apparently a wide variety of CPUs — meaning that just about any computer or device using the most popular CPUs of the last couple of decades is probably vulnerable to the issue.
So, to answer everyone’s first question: yes, your computer or mobile device is likely affected.
The next question is, what to do about it?
Step one: don’t panic.
Protecting against Spectre and Meltdown
Protecting yourself is, honestly, nothing particularly exciting. In fact, it’s just the list of things that you’re hopefully doing already.
Back up. This is not unique to these vulnerabilities. Backing up protects your data from any malware that happens to make it to your machine, as well as a raft of other unrelated issues. If you’re not backing up, start.
Avoid malware. This seems obvious, but it’s one of the fundamental truths about almost all vulnerabilities: without malware to exploit them, the vulnerabilities are benign. Put another way, if you never, ever, allow malicious software on your machine, then it doesn’t matter that these vulnerabilities exist. Ultimately, it’s nothing more than best practices for staying safe online.
Keep all software as up-to-date as possible. Software vendors are rushing out updates and patches to address these vulnerabilities. Even chip manufacturers are developing firmware patches, in some cases. This is another reason why I so strongly recommend keeping updates on automatic, and always on: automated updates will install most of the fixes for these problems without you doing a thing. (Though there are a couple of catches in this case, which I’ll discuss below.) In short, enable automatic updates.
And, of course, pay attention to update notifications from your software or hardware vendors. (I expect scammers to try and leverage all the fear and uproar, so make sure the notifications are legitimate before acting on them.)
That’s basically it. Back up, stay safe, keep up-to-date.
Like I said, the kinds of actions you should be taking anyway.
There are two caveats to mention regarding the “keep up to date” step.
First, not all software will be updated. For example, older versions of Windows — like XP and Vista, which are well past end-of-life — are likely to remain forever vulnerable. If you must run no-longer-supported software, then the burden is on you to keep your system free of malicious software.
Second, it turns out that some anti-malware programs can cause your system to crash — as in blue-screen — if you take the operating system update before the anti-malware tool itself is updated to “play nice.” Microsoft has developed a signaling system via a registry key that anti-malware tool developers can set to indicate that it’s OK to update the operating system. What that means is that you will not get the update until your anti-malware tool has been appropriately updated as well. Needless to say, Windows Defender, which I recommend for most folks, will update in sync with the vulnerability patches.
The action here is simple: check with your anti-malware tool vendor to see if they’ve addressed the issue appropriately, and update those tools as soon as possible thereafter.
The Windows update you want to make sure you have will be some variant of 2018-01. Exactly which one — as indicated by the referenced KB number — will vary depending on your system.
It’s more than the operating system
What’s fascinating, to me at least, is the scope of the response.
All current and popular operating systems — Windows, Mac, and Linux — are being updated.
I believe I’ve even seen firmware updates discussed. While I’m unclear on the specifics, these would be provided by your computer manufacturer.
What’s the risk?
There’s been a lot of hands-in-the-air, world’s-coming-to-an-end press about the impact of these two vulnerabilities.
As of this writing, there’s no known exploit in the wild. No malware has been discovered that tries to use these vulnerabilities to do anything. As I understand it, it turns out to be somewhat difficult to do. Not that there won’t be — I’m sure malware authors are rushing to see if they can exploit this before the majority of systems are updated, but as of right now, they haven’t done so.
The risk is information leakage. Theoretically — and I have to stress that this has not happened yet — malware could examine the contents of memory (RAM) that it shouldn’t be able to. Depending on what’s in the memory, that could be useless, or it could expose sensitive information. The press I’ve seen likes to focus on the potential to expose passwords that happen to be in memory, but my prediction is that authors are probably more interested in retrieving information that would allow them to somehow gain administrative access to the device and install more invasive malware.
Remember, reading anything in memory is nothing new. Malware that happens to gain administrative access — which is the goal of most malware — can do anything. That includes reading anything that’s in RAM or stored on your hard disk. This is simply a new way to do so.
OK, but, what are these two things?
Spectre and Meltdown are two exceptionally complex, esoteric side effects of how modern CPUs try to run software as fast as is possible.
In all honesty, you don’t need to understand them in order to know they’re there and keep yourself safe. And, I’ll say it again, they are complex. But I know that folks are insanely curious about such things, so I’ll try my best to simplify my (admittedly limited) understanding of these two critters.
And to be clear: every analogy is flawed. Almost by definition, trying to come up with a simple analogy to a complex situation leaves information out. If you’re a whiz at CPU architecture, this section — and my gross over-simplification — is not for you. 🙂
First: reading memory versus calculating memory
Both vulnerabilities share one common feature: they gain access to areas of RAM, not by reading it directly but rather by using characteristics of the CPU cache to calculate it.
Let’s say I have a shuffled deck of cards. I place one card at random in my shirt pocket. Normally, you could reach into my pocket, pull it out, and see what it is.
In our analogy, though, you’re never allowed to see the face of the card. In fact, you can’t even see me or my pocket. All you can see is the table between us.
You now ask me to place a specific card face down on the table. For example, you might say “Put the Ace of Spades on the table.” I look through the deck, find the card, and put it on the table — face down — and then put it back in my deck. Then you say, “Put the Two of Spades on the table”, and I repeat the process.
We repeat this, working our way through the cards, until you ask for the card that happens to be in my pocket. When you ask for that card, I reach in my pocket, pull the card out, and put it on the table, and then remove it from the table once again.
All you’ve seen is the backside of cards appearing on the table each time you ask for one. It’s just that one of them happened to appear faster than the others, because it’s quicker for me to reach into my pocket than it is to look through the deck.
You’ve just calculated which card I have in my pocket without ever having seen it.
My pocket is a “cache”, where I can put things to be accessed quickly. The goal of both Meltdown and Spectre is to cause something that you shouldn’t be allowed to see to be placed into a cache, and do so in such a way that you can calculate what it is without even needing to see it.
That timing that allows information to be discovered without actually accessing it directly is what many of the reports on these issues refer to as a “side channel.”
Meltdown gets its name from the fact that it effectively “melts” the barriers put in place to protect data within a running computer.
It takes advantage of the fact that modern CPUs are always “looking ahead” at what’s coming next, and begin processing instructions before they’re needed.
Let’s say you’re allowed to look at all the cards in our deck of cards except the Clubs.
I have a shuffled deck of cards.
You ask me for the first card, and I bring it out, look at it myself, see that it’s not a Club, and then show it to you.
You ask me for the second, and we repeat the process. I’m pretty quick to catch on to what’s happening, so while you’re looking at card #2, I grab the third card and put it in my pocket.
You ask for the third, which I quickly grab out of my pocket, see it’s not a Club, and show it to you. Once again, while you’re looking at card #3, I put the fourth card in my pocket, since I know what you’re going to ask for next. (My pocket can only hold one card.)
You ask for the fourth, I look at it in my pocket, and see that it’s the Three of Clubs. I tell you that, no, you’re not allowed to see this card, and I put it back in my pocket.
I left the card in my pocket/cache. You can now use the technique above to calculate what’s in my pocket without seeing it.
Spectre gets its name from a CPU optimization technique known as “speculative execution”. It sounds like so much magic, but as it runs programs, a CPU attempts to guess or “speculate” what might be needed, before it’s clear whether or not that need will arise.
Back to our deck of 52 cards. You’re still not allowed to see any of the Clubs. This time, however, all the suits in the deck are sorted together — all the Hearts, then the Diamonds, then the Clubs, and lastly the Spades — but within each suite, cards are in random order. You know the order the suits will come in, but you don’t know what value each card will have.
You ask me for the first card and, since it’s not a Club, I grab it from the deck, show it to you (it’s a Heart), and put it back.
You then ask me for the fourth card in the deck. Since it’s also not a Club, I grab it, show it to you (Heart), and put it back.
You then ask me for the eighth card in the deck. Since it too is not a Club, I grab it, show it to you (Heart), and put it back.
But I’m sensing a pattern here. I speculate you’re about to ask for the 12th card, so while you’re looking at the eighth, I grab the 12th (another Heart), and put it in my pocket/cache.
Sure enough, you ask for the 12th card. I quickly grab it from my pocket and show it to you. I speculate that the 16th card (we’ve moved into Diamonds by now) is what you’ll want next, and place that in my pocket while you look at #12.
This pattern works quite nicely until you’re about to ask for the 28th card. Thinking you’re about to ask for that card, which would be one of the Clubs, I put it in my pocket. You haven’t asked for it yet — so I haven’t told you that you can’t see it — it’s just my speculation that put it into my pocket.
But you don’t ask for it. You stop.
You’ve successfully placed something into my pocket/cache that you’re not supposed to see: the Two of Clubs.
You now use the method we discussed above to calculate what it is without needing to see it.
Both Meltdown and Spectre rely on performance optimization techniques used by the CPU. In one case, it leverages the CPU’s ability to say, “I know what you’re going to do next, so I’ll get it ready for you”, and the other takes advantage of the CPU’s ability to say, “I’m guessing you’re going to do this next, so I’ll have that ready for you just in case.”
As you might expect, mitigating these vulnerabilities will have an impact on performance. Some of the assumptions, techniques, and optimizations that the CPU can make will have to be avoided.
Speaking of speculation, estimates gauging the performance impact of avoiding these problems run wild – possibly making things anywhere from 5% to 30% slower. The reality is there is no single number: it depends on exactly how you use your computer and how your software was written.
Honestly, I expect most of us won’t notice a thing.
As long as we keep our software updated, of course.