Meltdown and Spectre Security Threats Explained

Meltdown and Spectre Security Threats Explained

By Evan Vuckovic

(Blog) — Meltdown and Spectre are names given to three major techniques used by cybercriminals to exploit information from nearly all computers, mobile devices, and even from the cloud. If you were counting, Spectre is a blanket term for two different techniques and Meltdown for the other.

Wondering if you are vulnerable? If so, this blog explains what happened, if you’re protected, and what you can do to keep your information safe.

The Spectre and Meltdown security threats are in all Intel CPUs (Central Processing Units) from 1995-today, and these threats exploit a process called Speculative Execution.

While Apple and Microsoft have both come out with updates to address the exploitation techniques in January, 2018, there is still a lot of confusion on the internet.

What is Speculative Execution?

Speculative Execution is a procedure used by CPUs to optimize computing performance by carrying out multiple tasks at once. With speculative execution, the CPU can then better serve users by predicting the path that has the highest probability of being taken, and then ‘prefetch’ that information. When a CPU predicts the incorrect path, then the prefetched results are pushed to an unsecured portion of its cache memory. This creates a pathway or a ‘backdoor’ for bad actors to enter through and access prefetched information.

The History of Speculative Execution

Originally, computers were self-contained systems which used speculative execution to pre-process calculations. These calculations were pushed to the same section of a modern computer’s cache memory, but in the case of a self-contained computer, there wasn’t a way to access the unused data. Since this was not seen as a risk, then there wasn’t a need to secure the information.

The Speculative Execution Vulnerability

Over the years, computers and phones became more connected with the rise of the internet and cloud computing. The rise of cloud computing led to abstract internet services including software, storage, servers, and databases—to share information through the (cloud) network. This allows us to share various system resources with other systems and applications. The problem is when machines run speculative execution and unprotected data ends up in shared memory.

What is Meltdown?

Meltdown is security threat that exploits “rogue data cache load” which allows potential bad actors to access kernel memory. The Meltdown exploitation is formally known as CVE-2017-5754. According to Apple, the Meltdown technique to read kernel memory “has the most potential to be exploited.”

What is Spectre?

Spectre is a security threat for two different points of exploitation know as “bounds check bypass” and “branch target injection.” These two vulnerabilities are formally named CVE-2017-5753 and CVE-2017-5715, and are collectively known as Spectre. This process takes advantage of the lag in time a busy CPU takes to verify memory access. Same as Meltdown, Spectre is too vulnerable to kernel memory leaks. Although Spectre is a less likely threat, the security risk comes from running JavaScript on a web browser.

Who’s Affected by Meltdown and Spectre?

Affected Chips: AMD, ARM, and Intel

Affected OS: Android, Chrome, iOS, and macOS

For Apple and Microsoft Users

Some have speculated that security patches will slowdown both Microsoft and Apple devices. Although this is a likely scenario, we shouldn’t expect any significant decreases in speed from any of their devices. In December, 2017, Apple tested the speed of their updates an found “no measurable reduction in the performance of macOS and iOS.”

Apple Meltdown and Spectre Patches

Apple has released security (patch) updates for macOS High Sierra and iOS. This will defend against Spectre. According to Apple “These issues apply to all modern processors and affect nearly all computing devices and operating systems.”

  • The Meltdown patch came in the following software updates: iOS 11.2, macOS 10.13.2, and tvOS 11.2
  • The Spectre patch came later in software updates: iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan

Update your Apple OS and iOS here: https://support.apple.com/en-us/HT201222

Microsoft Meltdown and Spectre Patches

Microsoft has currently issued 41 patches for their 45 different editions of Windows. Throughout Microsoft support forums, there have been issues with AMD PC owners rebooting, but these systems are about 10+ years in age. I wouldn’t worry about it too much, but it is something to make note of for both Microsoft and Apple as I have experienced some lags here and there.

Update your Microsoft software here: https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

Bottom Line

The world of cybersecurity is currently playing catch-up and we should expect to see further exploitations revealed to us in the future. Both Meltdown and Spectre exploitation techniques put virtually all machines at risk, but security patches from Apple and Microsoft are available. As updates continue to be released, we should also expect our devices and machines to be slow from time-to-time, and act in unusual ways as new updates roll in.