Staying Safe from Meltdown, Spectre Security Flaws in Computer Chips

There are two distinct flaws at hand, which researchers have named Meltdown and Spectre. They were discovered independently at a number of organizations, including Google, German cybersecurity company Cyberus Technology, and Austria’s Graz University of Technology.

“I first discussed the potential for Meltdown at Black Hat 2016,” says Daniel Gruss, an information security researcher at Graz University of Technology, referring to the annual cybersecurity conference. Speaking via Skype, Gruss, who helped author technical papers detailing the bugs, says he doesn’t know why the flaw managed to go unnoticed for such a long time.

And it’s been decades. Meltdown, according to the researchers, affects every Intel central processing unit, or CPU, made since 1995 with the exception of the ones sold under the Itanium and Atom brand names and released before 2013. (Itanium chips were made for business computer systems, while Atom chips were built into many inexpensive netbook computers.)

In a published statement, Intel said it and other technology companies had "been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed."

The vulnerability effectively removes the barrier that prevents sensitive data generated by the operating system from being exposed to applications—which includes everything from your web browser to spreadsheet programs and word processors. Computers are supposed to let applications use the operating system without having extensive access to it. Theoretically, hackers could exploit Meltdown to gather personal information stored by the OS.

“The unsettling thing about this is that we know this vulnerability existed for 10, 15, 20 years,” Gruss said. “This is not good because we can’t know whether there was someone or some organization who used it for malicious purposes.”

Meltdown affects only Intel products, but Spectre is a problem in processors made by Intel, AMD, and ARM (whose chips are typically found on mobile devices, including both iOS and Android smartphones), according to the researchers’ technical paper.

While Meltdown affects the communication between an application and the operating system, Spectre breaks the separation between applications.

The result: A malicious program might be able to exploit Spectre to steal sensitive data that was generated by an unrelated application.

Both flaws are present in the CPU hardware, not in the operating systems or any other software. And that’s why they affect both Windows and Mac computers.

“I doubt we have ever had a computer vulnerability which was so huge in terms of the range of devices that are affected,” Gruss says. And, he notes, cloud computing services are involved, too. That creates an even bigger security vulnerability than the flaws in consumers’ computers.

Malicious software loaded onto a server, such as the ones Amazon Web Services runs for many websites, potentially could have access to vast amounts of consumer data. AWS and other cloud computing companies say they have largely fixed the Meltdown vulnerability in their systems.

News of the flaws surfaced on Tuesday, when the British technology website The Register first reported efforts to patch the problems. In response, the researchers published their findings on Wednesday, earlier than they had originally planned.

As unnerving as all of that may sound, there are steps consumers can take right now to protect themselves.

Windows users should immediately run Windows Update, because Microsoft has already released a patch for Meltdown.

Mac users, it turns out, have been protected from Meltdown since last month, with Apple confirming late on Thursday, Jan. 4, that the macOS 10.13.2 patch released on Dec. 6 protects against the bug. The patch can be downloaded from the Mac App Store. "All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time," the company said in a statement. "Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store."

As for the potential slowdowns associated with the patches, researchers say consumers shouldn't be concerned. “There's been some over-dramatization in the media about the performance impact,” says Larabel, the independent security expert who has tested the patch for Linux computers. “At this point, desktop and laptop users simply running Google Chrome, Microsoft Office, or other desktop applications likely wouldn't notice a dramatic impact in their day-to-day use.”

“The bugs are dangerous, the performance hit [of applying the patches] won’t be,” James Sullivan, CEO of Ireland-based cybersecurity company IreSecure, said in a Skype interview.

Fixes for Spectre are lagging behind, and initially researchers said that a solution could require new processor designs. But solutions are becoming available. Intel said on Jan. 4 that it had developed a patch for the bug, and that it would be working with PC makers to deploy it in the coming days. Web browser makers are also working on patches that would prevent hackers from exploiting Spectre via malicious websites. The latest versions of Firefox, Microsoft Edge, and Safari now have the patch, while Chrome is expected to receive it in the coming days.

Researchers have noted that Spectre is more difficult to use for criminal activity.

“This is hard to exploit at scale,” Sullivan says. “It won’t all of a sudden sweep across the globe—but it will still bite you on the bum if you don’t patch.”

Editor's Note: This article has been updated with new information about the macOS patch, the Safari patch, and fixes for the Spectre security flaw.