Amid all the celebration that rung in the new year, the Internet has also been flooded by an ominous slew of articles on the Meltdown and Spectre processor exploits. Unlike the occasional scare that affects only certain devices running specific hardware or software, and is usually easily fixed, these two likely impact pretty much anyone whose device uses an Intel processor (and in the case of Spectre, AMD and ARM processors as well).
A quick overview
The vulnerabilities were made public on January 3 by Jann Horn of Google Project Zero and independently by other teams and individuals. They are similar in the sense that they exploit flaws in CPU architecture dating back decades to extract user information both from local applications on a device or, in the case of Spectre, from websites through a web browser.
Essentially, Meltdown exploits hardware vulnerabilities by accessing data that processors pre-fetch in an attempt to speed up their working, but fail to completely delete from their caches afterwards. This issue affects Intel processors released as early as the mid 90s, but is being mitigated through patches released by Intel and other manufacturers, who use the company’s chips in their products.
Spectre, on the other hand, affects more devices, and its ability to exploit software applications previously thought to have been made with no vulnerabilities makes it harder to counter, hence the name, as it will ‘haunt’ us for a while. The exploit can be leveraged through Javascript to steal data from browsers, and this feature makes it difficult to identify what form a hack can take.
What you can do
As a user, not much. The tech industry as a whole is aware of the issue and Meltdown patches are already being issued, so the best option is to download and install all driver and operating system updates released by the respective vendors. As for Spectre, companies like Google have issued a list of their services and their current safety levels, which also highlight recommended actions for users, one of which involves enabling ‘site isolation’ on Google Chrome to help stop Spectre attacks. This feature works for Chrome on Android as well, though Google warns it may lead to ‘performance issues’.
Since no known attacks have happened yet, anti-virus software are still in the dark, but it is likely that as soon as something is spotted, they will update detection parameters, so keep an eye out for updates from your anti-virus provider. On Android, ensure your device is updated to the latest security patch issued by the device manufacturer.
For more detailed information about your systems’ vulnerabilities and answers to frequently-asked questions, visit www.meltdownattack.com .