Two little bugs. One big problem.
By now you’ve heard of Meltdown and Spectre, and like everyone affected by it—which is, in fact, just about everyone—you undoubtedly have questions and concerns. And if you’re not an IT ninja, you may be wondering what exactly these bugs are, what they do, and how they can hurt you.
So welcome to Meltdown and Spectre 101. In an effort to give you the background and the basics, we’ve compiled and simplified some of the information that’s out there. We’ll also go over what can be done—and what has been done—to squash these bugs.
Meltdown and Spectre: The Basics
Meltdown and Spectre are global vulnerabilities affecting many modern computing devices. Unlike a common software bug, these vulnerabilities exist within the architecture of the processor at the point where raw data such as passwords, photos, and emails pass through before becoming encrypted. It’s at this brief moment of transference that the bug opens the door for malicious programs to steal this information from computers, mobile devices, and the cloud.
Meltdown and Spectre: The Background
Discovered by IT researchers in June of last year, the bugs were kept hush-hush in an effort to develop patches, or “Band-Aids,” before cyber criminals could exploit the vulnerabilities. And despite initial reports that only Intel chips were affected, rival chip makers Advanced Micro Devices (AMD) and ARM Holding revealed they’d been affected too, and that the three former competitors had joined forces to find possible fixes.
Want to learn more about the bugs’ background? Tom Krazit, GeekWire’s Cloud and Enterprise Editor, dives deeper into the story in a special edition of their podcast.
Meltdown and Spectre: One and the same?
While there are some important differences between these bugs, the names are often used interchangeably. Unfortunately, these vulnerabilities have been lumped together simply because they were discovered at the same time.
While both bugs allow other channels to obtain information from a CPU’s memory, the Meltdown vulnerability essentially “melts security boundaries normally enforced by hardware,” whereas the Spectre exploitation technique “takes advantage of a computer’s speculative execution process (a mechanism designed to increase CPU performance) in order to access memory.”
This crucial distinction is what makes the potential fixes so different.
Meltdown and Spectre: Squashing the Bugs
While patches exist for both vulnerabilities, only the Meltdown fix seems to remedy the situation entirely. This is accomplished through software updates, whether you’re an individual computer user or managing a major data center.
If only it were that easy when it comes to Spectre.
The patches used for the Spectre vulnerability don’t eliminate it, but rather act as a defense mechanism. And like any defense mechanism, there is always a way around it and a hacker determined to discover it.
So for Spectre, the only foolproof solution seems to be a redesign of processors, a task that could potentially take years.
That said, this isn’t a reason for complete and widespread panic. Chip designers have had months to work on patches, so while your device may indeed have vulnerabilities, it’s not necessary a sitting duck either.
Meltdown and Spectre: Vulnerability Information
Want to learn more? Common Vulnerabilities and Exposures (CVE) tracks cybersecurity exploits and provides information and references to publicly known cybersecurity vulnerabilities. You can find more in-depth information using the CVE IDs that pertain to Meltdown and Spectre below.
- CVE-2017-5715 Branch Target Injection (Meltdown)
- CVE-2017-5753 Bounds Check Bypass (Meltdown)
- CVE-2017-5754 Rogue Data Cache Load (Spectre)
It’s also worth noting that some devices using a different ARM core are immune to these types of attacks. Devices such as the Apple Watch and Raspberry Pi, both of which were designed without the speculative execution process, are untouchable when it comes to Meltdown and Spectre exploitation.