“Spectre” and “Meltdown” may become household words in the months to come as news stories covering the latest computer security bugs start making the rounds.
Wednesday, January 3, researchers revealed two huge flaws in the microprocessors that have powered nearly all computers, operating systems and even cell phones for the past 20 years. Dubbed “Spectre” and “Meltdown,” the pair of vulnerabilities make it possible for criminals to steal most anything stored in a devices memory, including credit card numbers, emails and passwords.
“Meltdown” targets processors made by tech giant Intel by poking holes in processor areas called “kernel memory,” areas used to store information currently in use by the processor. Microprocessors have traditionally made certain areas of kernel memory off limits to all programs and applications except those authorized to use them. “Meltdown” breaks down those barriers, making it easy for thieves to steal whatever information is there.
Unfortunately, this is not a problem that can be fixed by a product recall. The solution being offered by Microsoft and other tech companies is to strengthen the armor surrounding kernel memory, in a scheme called “kernel page table isolation.”
This fixes the Meltdown problem (mostly), but introduces new problems, in that the processor has to work harder than usual to keep things protected. All this extra work means the computer could run slower. However, Intel states the slowdown “should not be significant and will be mitigated over time” for “the average computer user.”
The patches and updates coming out will not completely fix the Meltdown flaw, though; that can only happen when Intel designs new, more secure processors, and makes them available for sale in the nobody-knows-when future.
“Spectre,” on the other hand, attacks processors made by Intel, ARM (Advanced RISC Machines) and AMD (Advanced Micro Devices). Devices using Intel, ARM and AMD processors run the full spectrum of electronics, including desktop and laptop computers, game consoles, tablets, automobiles, smart phones, GPS devices, printers and calculators from all manufacturers.
Spectre works differently from Meltdown, in that it fools programs and applications into leaking information that formerly was secret. Unfortunately, researchers, security experts and manufacturers aren’t really sure how to fix the Spectre problem. In fact, there may never be a real fix, in that Spectre exploits processor flaws that are fundamentally part of the way processors are designed and made. The Spectre problem requires that microprocessors be redesigned and new manufacturing processes be put in place, things that will be years in the making.
What’s a “normal” computer user to do? Fortunately, neither Meltdown nor Spectre can work without some sort of dangerous software running on your computer. In short, viruses designed to run Meltdown and Spectre exploits have to be in your computer, something you are actually able to defend against in the same old ways you always have: updates, patches and antivirus software.
Browsers, in particular, need to be updated. If you use Mozilla Firefox, Google Chrome, Internet Explorer or Edge, make sure they are updated. It is also recommended you install an ad blocker plugin, as infected ads on websites will likely be a primary way Meltdown/Spectre enabled viruses are spread.
Operating systems like Microsoft Windows will need updating. Microsoft’s Windows 10 patch is already available, with updates for Windows 7 and 8 coming soon. For iMacs and MacBooks, Apple’s macOS needs to be at minimum level of 10.13.2, which means many people will need to move to High Sierra. More update from Apple are said to follow.
Smart phones will need updating. If you use an iPhone or iPad, go to Settings/Updates, and make sure you have the latest available. The same goes for Android phones. Check for updates regularly, as it could take up to a month for manufacturers to catch up.
Update your antivirus programs. Some may need to be replaced, as they are incompatible with the latest Microsoft patches. As of today (Thursday), BitDefender, Trend Micro, Webroot and Malwarebytes are listed as incompatible, but Avast, Symantec and Avira show to be OK.
Good news can be had, too. Intel says they have “already issued updates for the majority of processor products introduced within the past five years.” That’s great, but, no word yet on how to actually get those updates.
Stay “tuned,” I’m sure more will developin rapid time.