Meltdown and Spectre flaws: What you need to know

Meltdown and Spectre flaws: What you need to know

Matt Blowes January 09, 2018 Security

Meltdown and Spectre are two serious hardware flaws that impact almost every consumer device. They are separate but similar flaws that were discovered in the second half of 2017, but only revealed to the public in early January 2018.

Here are the quick facts:

  • Spectre impacts every device with an Intel, AMD or ARM processor. That is most devices you've ever heard of.
    Meltdown impacts devices with an Intel processor, some ARM and most Apple processors. 
  • Meltdown is a relatively simple flaw. Fixes for Meltdown are available from many companies or will be in the short-term.
  • Spectre is a more complex flaw. Potential fixes are far less obvious. Most companies are still trying to work out an effective resolution. 
  • It's unclear if the two flaws have been successfully exploited by malicious attackers. 
  • The flaws may have existed for 20 years, but were discovered by four separate groups in the second half of 2017.
What you need to do

Keep your software up-to-date.
As a good example for keeping your devices up-to-date, some companies already had patches in place for Meltdown before the flaw was publicly known.

What Sentrian is doing

We're monitoring updates from our hardware and software partners. We have and will continue to apply any patches to fix these issues as a priority in our standard update process.

How the flaws work

Three researchers from the Graz University of Technology, who helped uncover the Meltdown flaw, explain the two vulnerabilities:

"Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system."

"Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre."

Fixing the flaws

Meltdown is a somewhat straightforward fix available from operating system updates. Microsoft released their fix for Windows 10 in early January and Apple say their previous software updates from December fixed the flaw across iPhone and Mac devices. It has been speculated that due to the nature of the flaw updated devices will experience permanent performance slowdowns. Though we are yet to see any reports of substantial or even noticeable performance issues following the updates. 

On the other hand, Spectre is a complex flaw and presents serious difficulties in fixing. Unlike Meltdown, it appears the only avenues for resolving the issue will come at application-level, not the broader operating system level. Meaning multiple parties will have to work together to resolve it. Wired sums up the fixes for Spectre, "as for [the] patches, well, some are here. Some are en route. And others may be a long time coming".

Going ahead

We will be monitoring developments as the issues progress and let you know of any major developments. Otherwise we will implement any fixes as they're made available behind the scenes. Again, we recommend keeping your personal and non-Sentrian managed devices up-to-date. 

Further information

Both of these flaws are reasonably complex and differ significantly from the typical security issues we discuss. Here are a few resources if you'd like to learn more about Meltdown and Spectre.

Meltdown & Spectre - Graz University of Technology (one of the groups who uncovered the Meltdown flaw)

Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time - Wired

“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws - ArsTechnica

Explaining Meltdown with parallel worlds, libraries, and a bank heist - The Verge

Don't wonder about WannaCry. Book Sentrian's Ransomware Readiness Assessment