It was the summer of 2017 when two of the most devastating ransomware variants the world has seen—WannaCry and NotPetya—broke loose, infecting more than 300,000 machines and inflicting losses totaling more than $4 billion.
By early 2018, many institutions and organizations were still recovering from the huge blow that these ransomware instances inflicted when the news broke that Google’s Project Zero had discovered a processor vulnerability. Around the same time, other independent sources also announced that they discovered these hardware flaws. At first glance, many thought these flaws were like the multitude of other vulnerabilities seen in the past. Little did we know the severity of the flaw at that time.
Researchers involved in this discovery named these vulnerabilities Meltdown and Spectre, and they estimated that just about every machine built after 1995 contained this vulnerability. As we look back on more than a year of living with Meltdown and Spectre, here are few frequently asked questions on what these vulnerabilities are and how they affect you.
1. What are Meltdown and Spectre anyway?
As we see them, Meltdown and Spectre aren’t two completely different flaws. They’re more like different variants of the same fundamental underlying vulnerability that affects computer processors. This vulnerability affects nearly every computer processor chip that’s been built in the last 20 years. Malicious programs can gain access to data by exploiting two important techniques: speculative execution and caching.
Speculative execution is a process that helps processors execute a task faster by predicting which branch will be executed. Caching, like speculative execution, is a technique to speed up memory access. Spectre uses speculative execution to access information that is being computed by the processor, while Meltdown undermines the separation between application processes, allowing information to be leaked.
2. It’s 2019. I don’t have to worry about Meltdown and Spectre anymore, right?
Wrong. Even though several chip manufacturing companies and OS vendors have addressed this vulnerability through various security fixes and advisories, there are still new variants of Spectre being discovered. Since these are hardware flaws, they won’t be completely gone until the newest generation of processors are ubiquitously used. So, 2019 or not, Meltdown and Spectre can still haunt you.
3. Among these two, which is more dangerous—Meltdown or Spectre?
Both Meltdown and Spectre are considered dangerous. However, according to Daniel Gruss, one of the researchers at Graz University who discovered the vulnerability, Meltdown is “probably one of the worst CPU bugs ever found.” It can use any application that’s running on your system to steal your data, including credit card information and bank details. Meltdown can be a more serious problem in the short term but can be easily stopped with software updates. Spectre, on the other hand, is hard to exploit but tough to patch, which poses serious problems in the long run. Bottom line: both of these vulnerabilities pose a great threat.
4. How do I get rid off Meltdown and Spectre completely?
Updates from chip manufacturers and OS vendors—like BIOS updates and driver updates—can prevent attackers from using these vulnerabilities. Keeping all your endpoints updated is a good way to avoid these vulnerabilities. However, completely eliminating these hardware flaws is up to chip manufacturers. Intel has announced a new range of processors that are expected to be safe from side-channel attacks.
Protecting your organization from these vulnerabilities in the coming years.
The discovery of Meltdown and Spectre simply reminds us that no computer in this world is completely safe. Even though these arose from hardware flaws that can’t be completely fixed, here are some industry best practices for you to take a proactive approach to defending your organization:
-
Always keep your system updated. This means both software and hardware.
-
Address critical vulnerabilities as early as possible by using automated patch management software.
-
Stay on top of major news in the cybersecurity domain.
Want to test your cybersecurity knowledge? Participate in our cybersecurity quiz for your chance to win a $100 Amazon gift card.