What You Should Know About Meltdown & Spectre Vulnerabilities

The first major security incident of the year came in the one/two punch of Meltdown and Spectre. First reported publicly by Google Project Zero, these flaws were actually discovered in June 2017, and were reported in confidence to CPU makers Intel, AMD, Google, and Microsoft. The companies agreed to place an embargo on disclosure until the second week of January to give them time to address the issues, but public speculation started on New Year’s Day, forcing responses from the companies before there were prepared.

Because we know that time is your greatest commodity, being affected by such a flaw could slow your productivity and be very detrimental to your business, But before you get too concerned about Meltdown and Spectre, we thought you should understand a bit more about what they are so you know exactly how concerned you should actually be. Basically, each of these flaws are found within the actual chips, which makes them especially worrisome because they can affect most any software or operating system controlled by them. This means that they can affect laptops, desktops, smartphones, and servers, both on-premises and online. The biggest concern is that the vulnerabilities will be used for the exfiltration of sensitive data, including emails, passwords, and other login credentials.

Both of these flaws draw on performance optimization features within the CPU’s. Meltdown works through “out-of-order execution” to melt down security measures and read kernel memory locations, which can then be used to attack other programs or other machines on the same system. Spectre got its name by using a process called “speculative execution” whereby the processor guesses at the next necessary operation code, which could be used to violate security measures and leak confidential information. Since there are no quick fixes to this vulnerability, Spectre could be haunting us for some time to come.

The good news is that no one has reportedly exploited the vulnerabilities at this point, which means that there are currently no known malware programs out there taking advantage of these flaws and trying to steal your information. Any attacks going on right now are academic exercises being used to find ways to fix the flaws. The other good news is that since discovering the flaws several months ago, the CPU makers have been working on fixes, and, fortunately, some are coming just in time. Linux was the first to release fixes for their operating systems, and Microsoft has since released fixes as well.

However, the bad news is that Microsoft has also noted that some of the updates they’ve been releasing have been having adverse responses in AMD systems, including complete shutdowns. The other bad news is that many of the fixes are reportedly slowing down performance time, sometimes by as much as 30%. Mozilla and Google have also stated that they will be addressing the security concerns these vulnerabilities bring up in their browsers with the necessary plugins and applications, but ultimately, the long-term fix will come in the further development of the chip.

These days, new security threats arise daily. To save your time, be sure you have a solid security protocol in place so that these flaws never become an issue for you. We specialize in spending our time keeping on top of these types of issues so that you don’t have to. If there is ever anything that concerns you or that you would prefer to discuss, please contact us to see how we can help.