In the last week, we learned about a set of nasty computer chip bugs, dubbed Meltdown and Spectre. Unlike most of the bugs we discuss here, these bugs are in hardware, not software. This makes them impossible to truly fix without replacing the chip. In most cases, since the Computer Processing Unit (CPU) itself isn’t removable. That means you would have to actually replace the entire device – as in, get a new computer. Luckily, there are software changes that can (and are being) made that will mitigate or eliminate these vulnerabilities – but possibly with a significant impact on speed of the system. Let’s dig in to find out what this means for most people and what you can do about it.
Spectre and Meltdown
In an effort to make computers as fast and efficient as possible, CPU makers have come up with some amazingly clever tricks and techniques. For example, most computer programs have several branches or forks in the road that they can take, depending on various conditions. In order to optimize things, computer chips often look ahead at these upcoming choices (like skipping some pages in a book) and precalculate the response to all possible eventualities. When the conditions are known and the correct result can be chosen, the other possible results are thrown away.
Unfortunately, Intel’s implementation of this feature neglected to protect those results properly. Therefore, a malicious application can actually peak into those results and try to find interesting data. This could include anything at all, including passwords, credit card numbers, and other sensitive data. That’s Meltdown in a nutshell – and sadly this bug exists in just about every Intel processor made since 1995. (It’s unclear yet whether rival chipmakers AMD and ARM have similar bugs.)
Spectre is similar in that it allows a rogue application to peak into the data of other applications. However, the vulnerability is even more widespread, making it even more concerning. It affects basically every single CPU manufactured in recent years – not just Intel, but AMD and ARM devices, as well. (ARM is the CPU favored by smaller devices like smartphones, tablets, set top boxes, etc.)
Fixes Are Already Available in Most Cases
Since these bugs were responsibly disclosed to manufacturers and affected software makers ahead of time, software patches are already available in many cases. However, since the real bug is in the hardware, the software fixes are mostly just mitigating the problems. Because some of the solutions will involve avoiding the performance-enhancing features, it may mean that the ‘fixed’ computers will end up running slower. From what I’ve read, most normal users probably won’t notice much difference. But cloud service providers, who live and breathe by performance, will be hit the hardest.
We don’t know of any malware that is already using these vulnerabilities, but they’ll be coming very quickly. The main thing everyone needs to do is update your operating systems and major applications as soon as fixes are available. Again, in many cases, you probably already have the updates. As this is a very fluid and rapidly-developing situation, I’m going to refer you to a nice article by Gizmodo that breaks down the current status of updates by broad area. It looks like they’re keeping it updated with the latest info.
This one was really bad. It’s been out there for 20 freaking years and we just now found it. (Wanna bet that the NSA knew about it already?) The only real fix is to throw out our current computers and start over, but that’s not practical. In the short term, we’ll mitigate the issues, and hopefully the CPU’s will be fixed in the next few years. But I’m just going to say for the record that this is probably just the tip of the iceberg. There’s a new focus on hardware bugs and I don’t think this will be the last major bug we find.
What You Can Do Now
There’s only so much you can do at this point, but here’s a quick run down.
- Keep everything up to date. As I’ve said, make sure you have the latest updates for all devices: computers, smartphones, tablets, and other smart devices.
- Limit your exposure. Don’t keep your most sensitive info in lots of places. Do a Spring cleaning of your digital files, eliminate extra copies. If you have passwords, social security numbers, credit card info and other stuff in your address book, or notepad, or other insecure apps, remove it. Use your password manager’s secure notes to store this info.
- Encrypt all your sensitive files and info. Encrypt your hard drive and your backups. If you must keep sensitive files in the cloud, make sure you’ve encrypted those files using your own password (check out Cryptomator). All of this is covered in my book.
- Be extra careful. In order for your local computer or other devices to be attacked, you would need to somehow download and run malicious software (malware). Don’t open links or documents that you didn’t explicitly ask for. Surf the web safely.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!