A lot of fuss has been made over the past few weeks about two major bugs found in Intel and AMD CPUs: Spectre and Meltdown. But what are these malicious flaws in the the big chip giants' hardware and are they really all that bad? What's the worst they could do?
What are the bugs, really?
Meltdown is an exploit that affects Intel's chip architectures – think almost any CPU Intel has ever produced, from the early '70s onwards – IBM Power processors and many ARM based chips too. It effectively breaks the isolation between user applications and the operating system, allowing a rogue application or attacker to access the system memory and to read it unencrypted. That effectively gives them access to any information accessed by your system, be it an application or the operating system itself.
Spectre is a similar bug with even wider-reaching capabilities. It can effect just about every computer system in the world, from desktops, to laptops to mobile devices – anything running AMD, Intel, ARM or IBM processors can be attacked using this method. It works by breaking the isolation between different applications, exploiting what's known as "branch prediction," to hijack a system's best practices to steal information from applications as they transfer it from one to the other.
Although Spectre is harder to utilize for attackers than Meltdown, it's also harder to stop. The fact that it's so wide reaching makes it doubly difficult to deal with.
Is it really that bad though?
In short, yes. The reason Spectre and Meltdown have made such a big splash among security and IT professionals and even leaked into the mainstream press, is that they are so wide reaching, but also such low-level attacks. Where most malware or exploits requires access to specific applications, specific operating systems or software and hardware platforms, Spectre and Meltdown affect just about everyone. More than that though, they give full system access without the ability for traditional security measures like anti-virus or anti-malware scans to protect the system.
Although we don't actually know whether Meltdown/Spectre have been exploited in the wild, the fact that they are widely known about now means that if they haven't already, they soon will be, which is why it's so paramount that people fix up their systems against the potential attack.
It's not something you need to panic over – don't drop everything to fix up these problems right now, but it is something you need to be concerned with and make sure that in the very near future, if you haven't already, you take the necessary steps to protect your devices against the potential attack vectors.
How to patch out the flaws
The first step is to update all of your devices. If you're running an Android device, chances are you've already downloaded the Google patch that will prevent your device from being exploited by either of these bugs. You may need to get an update direct from your device manufacturer itself, so double check to see if and when they have released it. If not, keep your eyes peeled for when it does and then download and install it straight away.
The same goes for iOS devices. Download the system patches and firmware upgrades as soon as they become available.
If you're running a Windows PC, make sure to download the latest Windows patches. Windows Update has probably already done it for you, but make doubly sure by doing a manual update. It would also be worth checking to see if your motherboard manufacturer has released any BIOS or chipset driver patches to fix up the issue at a lower level.
If you're running MacOS, make sure to do the same. Chromebooks should already be updated to protect against this issue, but double check you're running at least version 63.
The hardware option
The best way to protect against this problem will be with new hardware. Intel has pledged that its next-generation and after – beyond the 8th – will not have the hardware flaw that makes Spectre and Meltdown possible. Other manufacturers should do the same.
Although you don't need to buy new hardware to make sure, if you're concerned, a new system later this year would be the way to go.
In the mean time, if you want to see if your system is vulnerable, the InSpectre application can give you a good idea of how protected you are.