Ready for a sensational, shameless grab for attention?
Every computer, phone, and tablet made in the last two decades has a hardware vulnerability that allows would-be bad guys to steal information. This flaw being in the hardware of all the major CPU manufacturers makes remediation more difficult for everyone. So much so in fact that the United States Computer Emergency Readiness Team’s (US-CERT) initial solution was to replace CPU hardware. They’ve walked that back now, and indeed it does seem like this hardware problem can be solved using hardware.
It’s true. Spectre and Meltdown take advantage of a fundamental piece of high-performance computing known as Speculative Execution, which allows computers to do some tasks ahead of time to speed up processing. Think of it like pre-heating the oven while you get the rest of the recipe together. The Red Hat blog has a great explanation. Imagine you go to the same restaurant every day at the same time and order the same thing. Eventually the chef catches on and starts to prepare your meal before you arrive so that it’s ready as soon as you sit down. Fast and efficient. But what happens to that meal if you change your mind and order something different? It gets tossed out. The same thing happens in computing and, unfortunately for literally everyone, the place that data gets tossed out to isn’t secure. This allows bad guys to sniff kernel memory. You don’t get any greater access than that.
Now for Some Good News
Bad guys must already have access to your computer through some other means. Meltdown and Spectre are not vulnerabilities that facilitate unauthorized access.
Furthermore, these two exploits only allow information gathering. They can’t modify or delete your data, or add any data such as a cryptovirus to your system.
One last bit of good news; as mentioned above, the vulnerabilities can be fixed with software and many of the major players already have patches in place or are working around the clock to get patches out. Microsoft even issued a rare out-of-cycle patch, not wanting to wait for the normal second Tuesday of the month to release their fix.
Now for Some Bad News
The fix is going to slow things down. Some have speculated that fixing Speculative Execution will rob it of its performance benefits, slowing down processors by as much as 30%. However, in real-world testing on standard office tasks on desktop computers the numbers are far lower.
This exploit hits cloud providers the hardest. Because the attack is CPU-based, it’s able to bypass the normal constraints of virtualized computing. If a bad guy were to gain a foothold on a server belonging to a cloud provider, he could spy on all the software running on that server. Google, Amazon, and others are taking this very seriously.
What You Should Do
Update your phones, tablets, computers, and basically anything with a CPU as soon as an update becomes available.