Duo security vulnerabilities called Meltdown and Spectre are making their rounds. Scary names…right? Likely heard the buzzwords in the media to describe execution side-channel vulnerabilities within common Intel CPUs and other chips. No known exploits of these scary computer bugs impacting customers at this time. This open wound went unnoticed for two decades (since the mid-90s). Unbelievable. …and guess what? The patch potentially could slow down your machine or device. Sounds like a cover-up or conspiracy to me!
Not just limited to Windows PCs
I would love to blame Microsoft, but it is derived from the flaws in Intel, AMD and ARM (variant) CPUs. The majority of modern microprocessors run Windows operating systems including mobile devices. Apple Macs and iOS supposedly were patched with macOS High Sierra 10.13.2 and iOS 11.2.2 respectively. There is no hardware fix for Spectre, so Apple is addressing the vulnerability using Safari-based software workarounds. I have Raspberry Pi which isn’t susceptible to these vulnerabilities, because of the particular ARM cores that it uses.
Who discovered it?
I heard about some inherent bug with Intel a year ago, but now it has gone public. Google Project Zero, the team of security analysts who catch security bugs, reported these vulnerabilities last year. Hard to imagine it took that long to find a fix! Last month, three Graz researchers came upon the discovery almost simultaneously and reported it to Intel. Just a coincidence? They were not the first to warn Intel about the potentially industry-shaking security flaw. Of course, you need proof of concept before disclosing them publicly, but seriously why did it take so long?
Potential scandal?
Intel peddled these sub-par CPUs for years…they should have been more transparent and accountable for their mistakes. I realize the mighty chip giant Intel has a certain reputation to uphold, but give me a break. Likely a big cover-up by Intel and possibly the NSA, who took advantage of this vulnerability to spy on suspected criminals. Linus Torvalds, the famed Linux developer, had some pretty harsh words for Intel on the massive security fiasco. I don’t blame him. If I got sold winter tires that were inherently flawed and led to blowouts, damage or serious repercussions, I would want a replacement. Not on the same scale, but hopefully you get the point.
Pretty spooky names
I have a feeling they came up with the name on a Halloween night. Pretty spooky names for good reason. The Meltdown security flaw can be interpreted as “melting” the border between programs and the operating system and this will linger for years to come. Pretty hard to patch old machines that span two decades. It also may come from a German-language pun…. a melting of the core or “‘Kernschmelze” in German. Spectre is another multi-layered flaw with the ability to be cloaked like a ghost. HP has an existing line of mobile laptops with the unfortunate name of Spectre. Not related. They had the name long before this security vulnerability came to light. You have to wonder if it is going to hurt sales.
How to protect ourselves
Pretty scary when private conversations can be leaked out of a program with no permissions at all. There should be safeguards underpinning how microprocessors protect the sensitive memory core. The good news is updates are being rolled out by Microsoft, Apple, Google and Linux systems in collaboration with chip makers, device manufacturers, and app vendors. If you are running an old Android device, you may be out of luck. Make sure you run software updates on your machine ($MS Update) and do your homework before you apply the fixes. Meltdown is the most serious flaw which can’t be fixed with a microcode update or firmware update. They need help from chipset and motherboard manufacturers. Right now, Intel and Microsoft are issuing patches and focusing on Windows machines that are less than 5 years old.
Luckily, there are no known exploits for Meltdown and Spectre in the wild. To lessen the impact of security bugs and flaws, we need to practice safe browsing habits and be diligent about patching our machines and devices. We are at the mercy of hardware manufacturers and software developers once again. Pretty scary thought indeed.
