Two defects threaten computers and devices released on the market since 1995.
Meltdown and Spectre are the names given to two newly-discovered bugs terrorizing computers around the world.
At the sound of such unnerving names, it’s hard for security folks at enterprise-level companies to control the panic.
While protocols for dealing with these threats are still on the drafting board, there are solid steps that companies can take to protect themselves.
What are Meltdown and Spectre?
In early January of 2018, the tech world was rocked by the discovery of two colossal security flaws that affect almost every computer and smart device on the market since 1995.
First announced on January 3rd, the bugs’ initial discoveries are being attributed to Jann Horn at Project Zero, a Google-based program for security analysis.
These two separate flaws were simultaneously being probed and announced by a handful of security experts from around the globe. As bits and pieces came out about the exposures, the gravity of the situation became clearer.
Both Meltdown and Spectre exploit weakness in the CPU of most current machines and all their predecessors dating back to 1995.
Since both faults affect major brand-name processors, it means that desktops, laptops, mobile devices, and servers all contain the defects.
The spooky truth is that they affect a majority of computers in use today.
How They Work
Often linked due to the widespread nature of both flaws and the fact that they were discovered around the same time, they do not work in the same way.
The first defect, Meltdown, is named for what it does to affected devices. It sort of ‘melts’ the wall between applications and the machine’s OS and makes it a devastating entryway for hackers.
The second issue, Spectre, is a named for the process from which hackers are able to steal information—namely ‘speculative execution’.
Speculative execution is the technique whereby your device records your computer activity in an attempt to predict future actions. This process helps your device execute tasks quickly, but the records contain sensitive usage information that shouldn’t fall into the wrong hands.
The name also refers to an apparition, which is fitting since companies don’t want intruders ghosting around their private information.
Meltdown affects Intel processors while Spectre affects three kinds of CPU chip: Intel, AMD, and ARM.
Using these newly discovered gateways, popular tech forum Bleeping Computer says, “Malicious program can steal passwords, account information, encryption keys, or theoretically anything stored in the memory of a process.”
In response to the potential devastation, the tech community has seen a wave of security advisories and patches to deal with the bugs.
At the pace that vendors are trying to get information out, some have produced conflicting stories: While AMD maintains that its CPUs have a near zero risk of vulnerability, Microsoft quickly pushed out a patch for AMD devices that has caused computers to stop working.
In the haste to calm the masses, it seems some solutions come with problems of their own.
Beyond the CPU
Browsers are also vulnerable due to these glitches.
Safari came out with a patch in December of 2017 while Microsoft just released patches for IE and Edge. Microsoft announced that Windows 10 is safer to use than older versions, but did not provide further details.
After other vendors bumbled, Google reneged on a patch that was promised for January 23rd. Google’s Chrome browser and OS patch came out Friday the 2nd of February, over a week late.
Adding yet another layer to this confusing frenzy, Anti-Virus programs may be incompatible with some systems (notably Microsoft) so don’t go AV-crazy just yet.
In order to be proactive, here are three solid steps you can take to make sure your company is protected.
- Assess Your Risk
Guidelines for action from patches to future fixes are available at each vendor’s site. Your company can build a customized response based on vendor-specific information.
- Follow Instructions
Take the recommended steps to mitigate any security risks that would leave your company vulnerable.
A smorgasbord of vendors, from Amazon to Cisco, has released advisories to protect their clients and business partners from dangerous activity.
It’s up to your company’s security team to follow instructions based on the software and hardware that your system uses.
- Hold Out for More Information
Unfortunately, these bugs were publicly announced recently. The scramble to provide permanent answers is on.
The best thing to do after the initial patch scare is to await further details and instruction from the tech security community.