Just the date has changed, nothing else! Wannacry was one of the hottest news and topic of discussion on the internet last year and now a new type of security flaw in the Intel processors has been found, with two vulnerabilities named Meltdown and Spectre. These two don’t affect only the new PCs or processors, but it can potentially be affecting processors manufactured as far back as 1995.
So, what do they actually do?
Meltdown could allow hackers to “meltdown” the security enforced by hardware between the currently running applications and the computer’s core memory, while Spectre is slightly different. It can still help hackers to trick and remove isolation between different applications, allowing the error-free applications into giving up the information meant to remain secret.
Both of these exploits can be used to steal sensitive data. While Meltdown affects only the PC users, Spectre remains a threat to the smartphones as well.
Meltdown is really worrying security researchers. According to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw, Meltdown is “probably one of the worst CPU bugs ever found.” However, taking advantage of Spectre isn’t very easy, neither is the patching process, so it could create an issue in the near future. Also, Spectre may also need new processors, to get fixed completely.
Wow. US-CERT changes original advisory recommendation from “replace hardware” to “apply updates”.
v1: https://t.co/sN49I3Lkbs
v2: https://t.co/c5tQ0inY4C https://t.co/FwTsMavcb6— Kenn White (@kennwhite) January 5, 2018
Does it only affect Intel processors?
Meltdown affects the Intel Processors only, manufactured since 1995, except Itanium and Atom chips made before 2013. However, Spectre affects all modern processors, no matter whether your PC is having an Intel, AMD, or ARM processor.
What kind of data can be stolen?
The kernel stores all types of sensitive information in memory, which means that banking records, credit card information, financial data, communications, logins, passwords, and other secret information could all be at risk due to Meltdown. But, Spectre can be used to trick normal applications into giving up sensitive data. That means anything processed by an application can be stolen, including passwords and other data.
When will patches arrive?
Big tech companies are rushing to release the fixes for the mitigation of Spectre and Meltdown. A helpful patch list can be found on the Computer Emergency Response Team website, but note that the patches and updates mitigate the risk, but might not remove it completely.
Microsoft, on January 3, released an update for devices running Windows 10 that was downloaded and installed automatically. On the same day, Google, in a lengthy blog post explained all the steps the company has taken to protect users against both Spectre (Variant 1 and 2) and Meltdown (Variant 3).
However, some actions are required from users’ side as well, Users should definitely enable site isolation on Google Chrome browser. Android devices with the most recent security updates will also be protected from the above-mentioned variants. Just after a day, Apple, on January 4 admitted that their products might also be vulnerable to these flaws, and the patches to help defend against Meltdown were released in iOS 11.2, macOS 10.13.2, and tvOS 11.2, while the patches for Spectre will arrive for Safari soon.
What should consumers do?
It is advised to the computer owners that they shouldn’t just jump into buying new hardware, instead just be sure that your system is always updated. According to security researcher, Matt Tait, in the case of Meltdown, typical computer users can keep calm. However, they should always stay updated with their OS and Browser as updates arrive and shouldn’t try the ‘remind me later’ option.
However, in case of Spectre, it is a little trickier. Users should enable Site Isolation that makes it harder for untrusted websites to access or steal information from user’s accounts on other websites. In Chrome address bar, type or just copy and paste chrome://flags/#enable-site-per-process and click Enable on Strict site isolation. After this step is done, the Chrome must be restarted for the changes to take effect.
Will the fixes slow down computers?
Spectre fixes are not expected to have an immediate impact on the performance of computers. However, the defending steps needed to protect against Meltdown can have a significant impact. Some early estimates predict up to 30% slower performance in some tasks. However, it not expected to impact gaming, browsing, and general computing activities, but tasks involving a lot of writing files may appear to be slower. Intel’s Process-Context Identifiers (PCID), that has been included with Intel Processors since 2013, can make the results a bit more favourable for users.
