Boy, the computer security world has been abuzz because of the two major critical chip flaws that were recently brought into the public eye.
The security issues, known as Meltdown and Spectre, are probably the worst bugs found in processors ever and they might fundamentally change how chips will be designed moving forward.
Read on to learn what we know so far about these massive security vulnerabilities.
Speculative execution: the heart of these flaws
Both Meltdown and Spectre exploit a process called "speculative execution," a capability built into every modern processor.This process makes chips faster by allowing them to predict what tasks your gadget may need and execute them beforehand whether you actually need a task or not. If a task is not needed, then it is discarded.
As demonstrated by Google's Project Zero team, attackers can then exploit flaws caused by this predictive process to access protected areas of a system's memory.
Due to how data is being cached in these areas, hackers can then read and steal sensitive information such as passwords, encryption keys, login info and even files. Anything cached is fair game.
Keep in mind that these flaws are entirely a new class of attacks, meaning, this is the first time a processor's "speculative execution" process has been found to be exploitable.
Since this process is being used as a core optimization technique by all modern chips, this discovery will potentially change everything and it will require a redesign of how chips work. Yep, it really sounds bad, folks.
Note: Meltdown is known as Variant 3 of this type of attack, specific to Intel chips. Spectre attacks are Variants 1 and 2 and these are said to impact AMD, ARM, and Intel chips.
Meltdown
The first flaw that was reported by "The Register" is officially known as Meltdown. This critical design flaw was discovered in Intel processing chips that could let attackers gain access to protected kernel memory areas and steal sensitive information like passwords, login data, security keys and files that are still cached on your computer's disk.To fix this particular flaw, the kernel's memory has to be separated from user processes completely (known as Kernel Page Table Isolation). The downside - according to initial tests, this isolation was found to slow down your Intel-based computers.
Spectre
Spectre is the name the two other variants of this new class of attacks and it can potentially be even worse than Meltdown.First, unlike Meltdown, which reportedly primarily affects Intel chips, the Spectre bug can impact chips from every major manufacturer - ARM, AMD, and Intel. This puts almost every computer, smartphone and tablet at risk of Spectre attacks.
Secondly, while Meltdown can be addressed with software patches, Spectre appears to be a fundamental flaw in how processors work and a software patch may not be able to fix it.
Spectre also abuses flaws in a processor's speculative execution process and does it by taking advantage of the timing delay between the CPU's data cache and the validity checks for a memory access call.
Fortunately, on the flipside, it looks like Spectre is harder to exploit than Meltdown.
Intel's response
Intel confirmed that the design flaws exist and it is working on a solution that will not significantly bog down computers. Since Meltdown is the only variant that is currently patchable via software, we're assuming that the company is referring to this specific flaw.The company also stated that the problem is not unique to Intel chips. Technically this is true because, as mentioned earlier, the Spectre variants affect AMD and ARM chips, as well.
Intel also disputes the claims regarding the performance hits that the fix will bring. The company stated that the slowdowns are dependent on the tasks at hand and average users will not be significantly affected.
"Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," Intel wrote in an official statement.
Furthermore, Intel stated that its updates for all types of Intel machines will render them immune from BOTH Meltdown and Spectre attacks.
AMD's response
Advanced Micro Devices aka AMD, also issued its own statement regarding these flaws. Contrary to earlier reports that stated that AMD processors are impacted by at least one Spectre variant, AMD believes that its chips are not vulnerable to all three variants of the attack, including Spectre.According to AMD:
"To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."
Since the Spectre flaw is apparently a fundamental design flaw in virtually all modern chips made in the last 20 years, we'll have to wait for third-party security researchers to confirm AMD's claims.
What now?
Google's Project Zero wrote that there is no single fix for all variants and each requires a specific method of protection.Fortunately, it is believed that the vulnerabilities have NOT been exploited as of yet and there is no evidence that hackers have abused or are actively abusing them. Technical details about the flaws are still scarce, buying hardware and software vendors some time.
However, since the existence of these flaws is now publicly known, issuing patches and security updates to mitigate these flaws will be the first order of business for hardware and software vendors.
What can you do to protect yourself against the chip flaws?
In the meantime, prepare for these inevitable updates that you must apply as soon as you can to protect yourself from the "chip-ocalypse."Microsoft
Microsoft will likely push its fixes in this month's Patch Tuesday updates for supported Windows systems. Most Windows machines are set to download and install updates automatically by default. If you haven't changed your automatic update settings then you should be fine.On Windows 10, click Start (Windows logo), choose "Settings," select "Update & Security," then on the "Windows Update" section, click on "Advanced Options." (Note: the "Windows Update" section is also handy for showing you updates that are currently being downloaded or applied.) Under "Advanced Options," just make sure the drop down box is set to "Automatic."
Apple
Apple has also confirmed that its products are also affected by the chip flaws. The company wrote in a post that it has already released mitigations for Meltdown in iOS 11.2, macOS 10.12.2, and tvOS 11.2. This means Macs, iPhones, iPads, and Apple TVs are all impacted by either Meltdown or Spectre variants so make sure you keep all your Apple gadgets up to date. Note: The Apple Watch is not affected by Meltdown.Google and Android
Google stated that it already issued security patches for its Nexus and Pixel phones. Chromebooks also received patches later this week.Although the software fixes are ready, rollouts for other Android phones from companies like Samsung and LG, for example, will depend on the carrier and the phone manufacturers themselves.
Keep checking for the latest updates for your Android gadget and apply them as soon as you can.
To manually update your Android gadget, Go to Settings >> scroll down, click on 'About Phone' or 'About Tablet.' (If you have a tabbed settings menu then this will appear in the 'general' section) >> click software update >> click install now, install overnight, or later.
Web Browsers
Since Meltdown can also be initiated via web browsers using JavaScript applications, Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge updates have incoming updates, as well.Firefox 57.0.4 has security patches for both Meltdown and Spectre exploits by disabling a feature called SharedArrayBuffer. Firefox ordinarily updates itself when you open it by default. To manually update, visit mozilla.com/firefox for the latest version.
Google recommends turning on an optional feature in its Chrome browser called Site Isolation to protect against the chip flaws for now. Proper security patches will be included in Chrome 64, due out on January 23.
To turn on Chrome's Site Isolation, paste this on your Chrome address bar: chrome://flags#enable-site-per-process, then click Enable on "Strict Site Isolation."
For more information about Chrome's Site Isolation, click here.
Safari
Apple is set to release an update in the next few days for Safari for Macs and iOS to mitigate the Meltdown and Spectre exploits. Apple claims that its Safari fixes have no significant impact on its speed.
Microsoft Edge and Internet Explorer 11
As mentioned earlier, Microsoft will likely push its security fixes with this month's Patch Tuesday updates and this will include patches for Microsoft Edge and Internet Explorer 11.
And don't forget - Always follow computer safety basics
Aside from keeping your gadgets updated with the latest software, following basic computer safety practices should protect you from these threats.Since these flaws still require malicious code to execute on your computer or gadget, avoid clicking on unknown links and attachments on emails and refrain from installing software and apps from unofficial sources.
Avoid clicking on website ads too that may harbor malicious code. If you want to take it a step further, you can turn off Javascript on your browser (this will limit functionality, however.)
As bad as it looks, there's actually no real reason to panic. Performance hit or not, the incoming patches should mitigate Meltdown's flaw. Spectre, on the other hand, is difficult to execute so its widespread impact will be fairly limited.
Spectre, on the other hand, likely can't be fixed by a simple software patch and security pundits are saying that it might take a new generation of chips to completely eradicate it. Hopefully, updates can still be issued to at least lessen its potency.
A few questions
With these revelations, we can't help but pose some interesting questions. First, why did it take more than 20 years to discover these flaws? Does it take extensive technical and software engineering skills to pull them off in the first place?Did the chip makers know something that they didn't want the rest of the computing world to know? Considering it will require a total rethinking of how chips are designed, didn't they factor how they can affect a processor's speed?
Are they expecting us to relegate all our old flawed gadgets to that big tech recycle bin and wait for newer chips that, of course, will be immune to these flaws? Just asking.