On January 3, a group of cybersecurity experts announced the existence of two security flaws affecting virtually every microprocessor on the planet, codenamed ‘Meltdown’ and ‘Spectre’: the Meltdown exploit affects computer processors that were built by Intel over the past decade, used in the majority of consumers’ personal computers, and over 90 percent of the world’s computer servers; Spectre is somewhat less dangerous, but is more widespread, as it affects not only Intel processors, but also those of their main competitor, Advanced Micro Devices (AMD), and Britain’s Advanced RISC Machine (ARM) chips. These vulnerabilities could potentially allow hackers to access personal data from computers, mobile devices, smart TVs, and cloud servers around the world.
The Meltdown vulnerability affects both Intel and some ARM microprocessors, and can allow a form of malware, such as a virus or worm, to read the chip’s kernel memory, allowing the malware to bypass the usual privilege checks that would otherwise isolate the data from such an invasion. From there, the malware can transmit the stolen information back across the internet to its master.
The vulnerability represented by Spectre would be more difficult for hackers to implement, due to its exploitation of what is called branch prediction used by modern microprocessors, a process that normally helps smooth the flow in the processor’s data pipeline. This opening could potentially allow a website to access data from another website stored in the memory assigned to the web browser.
In-of-itself, these flaws aren’t due to negligence on the part of the microprocessors’ designers, but rather are potential exploits found after the fact by cybersecurity researchers. There is currently no indication that anyone has actually found or taken advantage of these vulnerabilities, and software companies are keeping details regarding the vulnerabilities secret to prevent tipping off hackers as to how to exploit them.
Although there is no practical way to physically fix these vulnerabilities in the world’s computer chips, software fixes at the operating system level are being developed and distributed by major vendors, including Apple and Microsoft, and Intel is also looking for more practical solutions. Consumers are being urged to keep the software on their devices up to date, including operating systems such as Windows and iOS, internet browsers and anti-virus software. Ad blockers for internet browsers can also block Spectre-exploiting programs from being transmitted to you computer — even major websites have malware-bearing ads sneak through on their pages.
The fixes were initially feared to cause a performance impact that would see computers slow down between 5 and 30 percent, depending on the device and what functions the software performs. However, minimal impact has been reported in benchmarks on consumer-level devices, although cloud-based servers may be hit harder.
"There are many cases where the performance impact is zero," explains Andres Frome, a software developer who has been testing the fixes. "But if you are running something like a payment system, where a lot of small changes are made to data, it looks like there will be a significant performance impact."