Meltdown & Spectre
What are Meltdown & Spectre?
Meltdown & Spectre are hardware vulnerabilities that affect the processors in your computer, your smartphone, and the servers constituting the Internet and the World Wide Web. They allow information to be read from memory inappropriately and without authorization.
Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors that enables reading all memory without authorization (Source: Wikipedia). It has been assigned CVE ID CVE-2017-5754. It affects all systems using the processors, and is not a software bug.
Spectre is a hardware vulnerability affecting almost every computer system (including desktops, laptops, servers, tablets, and smartphones) and has been demonstrated on processors from manufacturers Intel, AMD, and IBM, as well as on some ARM-based processors (Source: Wikipedia). It has been assigned two CVE IDS: CVE-2017-5753 and CVE-2017-5715.
Impact and industry response
The computing industry has been producing software updates to mitigate the security holes in Meltdown and Spectre. These software updates affect the entire stack of software products:
- Hypervisors (the software at the heart of most hosting providers)
- Operating systems (like Windows, macOS, FreeBSD, iOS, Android, and Linux)
- Application software (like your web browser)
At every level, the mitigations have the potential to cause slowdowns or instabilities (crashes and lockups, for example). This is already happening.
What to do
We at QI and the websites we have built for our clients are end-users of all this software and hardware. And unfortunately all of us will have to expect systems and web sites to perform worse and be less available than what we’ve been accustomed to. The best thing we can do is maintain our good practices, which include
- Automated backups
- Routine application of software and security updates
- Carefully avoiding sketchy web sites that might deliver exploit code
- Using ad or content blockers to avoid malicious code
- Vox’s explainer video for general audiences
- Computerphile’s academic, technical video
- SANS Internet Storm Center daily information security podcast (iTunes link)