We’ll give it to you straight: There is bad news and good news about Meltdown and Spectre, the two new computer vulnerabilities. The bad news is that the flaws are serious, complex, and have broad implications across the industry, and the good news is that the only thing that you, a typical smartphone and computer user, need to do is make sure the software running on your devices is up-to-date.
These vulnerabilities concern security experts because they have their roots in the very design of the processor that powers your gadget. Unlike some security issues tied to a specific operating system, like an older version of Windows, these are not. It also affects the servers run by big companies like Amazon and Google, which need processors to run.
“The idea of a fundamental vulnerability in CPUs is something that is probably one of the scariest things that you can imagine, because of how vulnerable that can make so many systems,” says Shuman Ghosemajumder, the CTO of Shape Security and a former product manager at Google who focused on click fraud. “In some ways, it’s almost surprising that we haven’t encountered anything quite like this before—but these particular vulnerabilities have actually existed within CPUs for many years now.”
So what are they?
To understand where these security weakness stem from, it helps to know about a process that chips use called speculative execution. Speculative execution is typically a good thing—it helps processors run efficiently. In simple terms, the processor guesses what might come next as it’s computing and does some work in advance to get ahead, in the likely chance that it is right and that work will come in handy. Think of it as doing tasks in your free time that you’re very sure you’ll need to do later, like preparing a report your boss asks for most Wednesdays.
“There’s nothing that’s inherently wrong or insecure about the idea of speculative execution—it’s all about the way that it gets implemented,” Ghosemajumder says.
Both Spectre and Meltdown leverage speculative execution to do something they shouldn’t, and both affect chips from the likes of Intel, AMD, and ARM; Spectre is considered to be the broader threat. Together, there are actually three vulnerabilities, because the term “Spectre” encompasses two different types of attacks.
So how could hackers exploit them?
Tomer Weingarten, the CEO of SentinelOne, a computer security company, explains that Spectre involves one program (like a web browser) becoming compromised and then being used to see what’s going on with another program, like Microsoft Word. Meltdown is a vulnerability in which attackers can get access to a part of the computer’s memory that they shouldn’t have access to. Weingarten says that Spectre may be easier for an attacker to actually use.
“These are probably some of the worst vulnerabilities that we’ve seen in awhile,” he says.
So what should I do?
The most important thing you can do is keep the software updated on your phone or computer, as well as take standard, commonsense security measures, like remaining aware of phishing attacks via email.
Companies have already been pushing out software updates to defend again these vulnerabilities. Apple explains in this post how software it has released for iOS devices and Macs mitigates against Meltdown and Spectre; Google summarizes the status of its services here, including Android and the Chrome browser (which will see an important update on January 23); the search giant also has explained the steps they’ve taken to secure Google Cloud. Microsoft lays out what Windows customers should do here—they have had issues protecting some machines that use older AMD processors.
“Everyone is moving pretty quickly to be able to try to patch this as effectively they can,” Ghosemajumder says. With Chrome, one advanced move to consider turning on is a feature called site isolation.
Although there are concerns that these updates will slow down processors to varying degrees, ultimately, it’s in your best interest to install the patches. As Ghosemajumder warns, the most vulnerable machines around the world are the ones that are “left behind,” because people can’t or won’t update the software, so these exploints could be used to target those devices globally.
“The Spectre and Meltdown vulnerabilities will become part of the standard toolkit for all attackers,” he says.