IT Giants Face Up To Spectre And Meltdown But Should Users Be Worried?
US microprocessor manufacturer, Intel has pledged to fix the problem by the end of the month. Apple has promised a repair within a matter of days. And Microsoft has already provided a security update to users of its Windows operating system.
All three have been galvanised by the revelation that a broad range of PCs, tablets and mobile phones are vulnerable to data theft, thanks to two separate hardware weaknesses, reassuringly dubbed Meltdown and Spectre by the industry.
Meltdown affects only machines powered by Intel processors. The moniker Spectre, on the other hand, applies to a vulnerability found on chips made not only by Intel but also those manufactured (or designed) by AMD and ARM. As such, the Spectre bug exposes just about every digital device on the planet to potential attack by criminal hackers and other malicious parties. Potential targets include Android phones and tablets, and as Apple has acknowledged, devices such as iPhones and iPads, which were generally considered to be relatively safe from hacker activity.
The good news is that the industry is taking rapid action. Less reassuring is the fact that a complete fix will take some time. Speaking at the Consumer Electronics Show in Las Vegas, Intel Chief Executive Bryan Krzanich said flaws in his company’s chips would be fixed by the end of the month, with 90% of the work being done in the first week. Microsoft has already published updates, but a patch issued by the company has reportedly caused operating difficulties with AMD-powered machines. Thus, there is still some way to go before the twin problem can be described as done and dusted. And of course, making patches available does not necessarily mean they will be installed by users.
The Nature of the Threat
So should computer users be worried? Spectre and Meltdown are both hardware problems but the vulnerabilities they create have implications for the safety of data processed by digital devices. For instance, Meltdown allows third-party apps to read the kernel memory of an Intel processor, generating a risk that information such as passwords might be stolen. Meanwhile, the Spectre bug enables one application to steal information from another when both are sharing the same processor.
In other words, although the problem rests in the ‘brain’ of the computer – otherwise known as the central processing unit – the flaws in the ‘CPU’ allow crucial data to be accessed by malicious software.
The fact that these gaps in the armour of our digital devices exist doesn’t necessarily mean information has been or will be stolen, but according to Gavin Millard, Technical Director at cybersecurity company Tenable, the risk for organisations and private companies is real.
“The latest vulnerabilities blessed with catchy names and logos are deserving of the hype that will surely build,” he says. “Spectre and Meltdown are both incredibly concerning from a privacy perspective, affecting the average home user and enterprises alike. The long-standing blunder in chip design could enable an attacker to access confidential pieces of information being processed, for example grabbing a password as it’s typed, installing malware that could slurp up anything a user is working on, or browser data to enable to hoover up credit card details and logins.”
Andy Lilly, Chief Technology Officer (CTO) of security business Armour Comms believes the real risk is not to individual users but to organisations that are taking advantage of cloud-based services.
“You might initially be concerned about the vulnerabilities this introduces to your personal computer or mobile phone, the wider danger is where data from many users is processed on the same machine, as happens in almost every cloud-based system where multiple applications (often from different companies) run alongside each other,” he says.
These vulnerabilities could allow a malicious application to examine the private data for another company’s application when present on the same physical machine.
And as Vince Warrington, founder of cybersecurity business, Protective Intelligence points out, computer users can do little except sit on the sideline and wait for patches to be delivered.
“There’s absolutely nothing anyone can do to protect themselves prior to fixes being made available by vendors and manufacturers as the flaws are related to how a CPU normally operates,” he says.
But Warrington stresses that the risks associated with Spectre and Meltdown should be seen in perspective. To date, he says no evidence has emerged that anyone is exploiting either of the vulnerabilities. “This would seem to be related to the level of complexity required to carry out an attack.”
And while Spectre poses the biggest risk to the largest number of machines, Warrington says it is the more difficult of the two exploits, as any attack would have to be tailored to the specific software environment of a potential victim. If such an attack were to take place Warrington believes it would probably be aimed at big businesses or governments.
While computer users – either organisations or individuals – can do nothing to address the microchip flaws, Warrington says action can be taken to reduce the risks of a security breach. Any attempt to steal data will require malicious software – malware – to be loaded onto the system in question. Typically, malware is introduced by emails carrying attachments that automatically download damaging code.
“So using good security practices, such as not opening attachments and regularly updating your software will go a long way towards mitigating your exposure,” he says.
Meanwhile, all users should install the updates supplied by manufacturers and vendors. Patches from Apple and Microsoft are available and those using the latest versions of Linux are also covered. Chromebooks are protected as is the new Google Pixel phone but updates for older versions of the Android operating system will be required. It is therefore vital to check all your devices for update notifications.