Meltdown And Spectre

Processors are vital to running all our computerized devices, even if we hardly ever think about them. That's why it's a big deal that they have major vulnerabilities, such as Spectre and Meltdown that leave them open to hacking attacks.

As they run all the essential processes on your computer, these silicon chips handle extremely sensitive data. That includes passwords and encryption keys, the fundamental tools for keeping your computer secure.

The Spectre and Meltdown vulnerabilities, revealed Jan. 3, could let attackers capture information they shouldn't be able to access, like those passwords and keys. As a result, an attack on a computer chip can turn into a serious security concern.

What are the vulnerabilities?

Researchers found two major weaknesses in processors that could let attackers read sensitive information that should never leave the CPU, or central processing unit. In both cases, attackers could see data that the processor temporarily makes available outside of the chip.

Here's why that happens: To make computer processes run faster, a chip will essentially guess what information the computer needs to perform its next function. That's called speculative execution. As the chip guesses, that sensitive information is momentarily easier to access.

One flaw, Spectre, would let attackers trick the processor into starting the speculative execution process. Then attackers could read the secret data the chip makes available as it tries to guess what function the computer will carry out next.

The other flaw, Meltdown, lets attackers access the secret information through a computer's operating system, such as Microsoft Windows or Apple's High Sierra. Meltdown is a security flaw that could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory, which is normally highly protected.
Security experts refer to these sorts of incursions as side-channel attacks, because they access information as its being used by a legitimate process on the computer.

Is it serious?

Yes. Meltdown is “probably one of the worst CPU bugs ever found” according to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw. It is very serious in the short term and needs immediate attention.

The problem with Meltdown is that anything that runs as an application could in theory steal your data, including simple things such as javascript from a web page viewed in a browser.

Spectre, on the other hand, is harder for hackers to take advantage of but is also more difficult to fix and is expected to be a bigger problem in the long term.

What can be stolen?

The core system, known as the kernel, stores all types of sensitive information in memory. This means banking records, credit cards, financial data, communications, logins, passwords and secret information could which is all be at risk due to Meltdown.

Spectre can be used to trick normal applications into giving up sensitive data, which potentially means anything processed by an application can be stolen, including passwords and other data