While everyone else is exited about the new year, computer security researchers and tech workers were wincing over something else: massive security flaws discovered that potentially affect the vast majority of personal computers and smartphones ever built.
Two security flaws, dubbed Meltdown and Spectre by researchers, allow processor exploits to steal passwords and other sensitive user data from almost any device made in the past 20 years (Damn!) .
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
Security researchers, including Jann Horn at Google and academics at Graz University of Technology, discovered the flaws. They had already disclosed the flaws last year to the big tech companies like Microsoft and Apple, and had planned to reveal them publicly in coming days.
Now software companies are scrambling to push out updates. Google and Microsoft said by Wednesday evening that they had updated their systems to fix the Meltdown flaw, according to the Times. Some consumer fixes, including for PCs, have rolled out, but others are still in development.
There is no evidence yet that hackers have taken advantage of the security flaws. But once flaws are made public, the attention makes your devices ready targets, allowing skilled hackers easy access to your passwords, online bank accounts, and email.
Exploits are unfortunately common these days, as security researchers engage in an arms race with hackers and even nations to build walls around our increasingly connected world of devices.
Meltdown and Spectre are beyond the norm, however, because they allow exploits at the hardware level, the silicon in your machine. That makes fixing the problem much more challenging, as the exploits allow access to the most basic part of your computer.
According to the security researchers who discovered the exploits, the data at risk “might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
According to the Times, hackers could simply rent space on an unpatched cloud service and easily access customer data:
That is a major threat to the way cloud-computing systems operate. Cloud services often share machines among many customers — and it is uncommon for, say, a single server to be dedicated to a single customer. Though security tools and protocols are intended to separate customers’ data, the recently discovered chip flaws would allow bad actors to circumvent these protections.
The biggest cloud service companies, like Google and Amazon, say they’ve fixed their systems issues. But cloud services are an increasing part of many online and offline businesses, which may not act so quickly.
How do I protect myself?
Fixes are in the works for Meltdown but probably aren’t available yet on all your devices. The Verge reported Thursday:
Firefox 57 (the latest) includes a fix, as do the latest versions of Internet Explorer and Edge for Windows 10. Google says it will roll out a fix with Chrome 64 which is due to be released on January 23rd. …
For Windows itself, this is where things get messy. Microsoft has issued an emergency security patch through Windows Update, but if you’re running third-party anti-virus software then it’s possible you won’t see that patch yet.
Apple said that it released software updates to mitigate the Meltdown exploit for iOS, Macs, and the Apple TV in December and that further updates are forthcoming.
Fixes for Spectre may require hardware changes, which could take years to roll out as people buy new devices.
While you wait for fixes, the best thing you can do is to enable two-factor authentication, which uses login codes from your phone or email. Enable this on as many sensitive accounts as possible, create long passwords, and don’t reuse them. Also consider a password manager, which can create passwords for you (but make sure the manager itself is secure).
This is just sound advice in general. Whether or not these specific flaws are taken advantage of by hackers, future ones certainly will be.
And software fixes for Meltdown, when they come, may not be perfect: Patches for Meltdown could slow down computers in some cases by up to 30 percent. Andres Freund, a software developer, told the New York Times he had confirmed slowdown in testing on Linux machines. But some other experts say that that alarming figure will most likely only apply to servers and cloud services.
That’s potentially bad news for many small- and medium-size businesses that rely on complex networks, but the big tech companies have had time to grapple with the problem and have the money to mitigate any effects on consumers.
The bottom line: Don’t put off updating your devices because of fears of slowing them down.
Do I really have to care about this?
You are probably resigned by now to the malicious code panic cycle: A flaw is discovered or exploited, millions of sensitive personal data is/is not compromised, and we all push a few buttons to get the fix — and pray hackers ignore our helplessness.
While the threat of these newly discovered flaws is still hypothetical, little technical knowhow may be needed to exploit Meltdown, in particular. All it could take is an annoying banner ad to compromise your device.
So to be clear: You absolutely need to push those buttons. But the, ahem, specter of hardware-level security flaws may not be lifted anytime soon.