TL;DR – Got to get it patched!
Recently, two critical security flaws have been found in desktop computers, smartphones, tablets and cloud services. They have been given the names Meltdown and Spectre.
Spectre affects processors made by Intel, AMD and ARM, while Meltdown seems to affect only processors made by Intel.
What do Meltdown and Spectre do?
Spectre allows attackers to trick applications into leaking its data.
Meltdown allows attackers to access information from the operating system memory, including sensitive data from other programmes.
Basically, if someone can successfully exploit either of these flaws, they can read and access confidential information.
And there are people who have demonstrated that it is possible to exploit those Meltdown to steal passwords. This video is by Michael Schwarz, an Infosec PhD student at Graz University of Technology:
Because these are flaws in the chips, and these chips are used in processors of virtually every computer, it means that virtually every computer can be exploited.
And it’s not only computers that are affected. All iOS devices are also affected. Many servers are affected too. This means that the bug also affect big-name cloud computing environments including Amazon EC2, Microsoft Azure, and Google Compute Engine.
Yup, that’s essentially all of your devices and all of the Internet.
That’s why everyone is scrambling to fix this flaw with patches. It wasn’t an easy task to say the least. It must have been very annoying for the engineers working on the fixes. Because at one point in time, the engineers wanted to call one of the fixes Forcefully Unmap Complete Kernel With Interrupt Trampolines, the acronym of which spells F*CKWIT.
And while there are now fixes (aka patches) that plug the security flaws, there are concerns that the patches will result in declines in performance. Some people have estimated that certain processes could be as much as 30% slower after the patches are implemented.
Can you imagine the Internet slow down by 30%? Oh the horror!
Thankfully, things may not be that bad
Intel has announced that the patches it has deployed not only would render chips immune to attacks that exploit Meltdown and Spectre, the patches apparently don’t affect performance significantly.
Google engineers have also described a novel chip-level patch that has been deployed across the company’s entire infrastructure, resulting in only minor declines in performance in most cases. Better yet, Google has posted details of the new technique called Retpoline, in the hopes that other companies will be able to follow the same technique.
If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted. And the world heaves a collective sigh of relief.
What do you need to do?
The patches aren’t going to be all deployed at the same time.
Apple has already released mitigation in iOS 11.2, macOS 10.13.2 and tvOS 11.2 to defend against Meltdown. A Safari update in the coming days should fight Spectre attacks.
Microsoft addressed the issues in a blog post. Windows 10 computers will be patched on January 9th, as well as other systems. However, Windows XP isn’t included since it’s no longer supported.
So what you need to do to protect yourself is to watch out for the release of these patches. And when they are released, update your devices. If you do that, then you’ll be fine.
Remember, the price of security is constant vigilence!
(Featured image via)