Are Spectre and Meltdown a Big Deal?

First published: 05^th January 2018

Allan Dyer

Spectre and Meltdown are the names give to design flaws in the processors that power most modern computers and they have hit the headlines worldwide in the last couple of days, but how important are they? This is not a detailed description of the flaws, there are many of those, from CERT/CC, on dedicated websites, Intel, the Register and others. Instead, I want to provide a brief guide to help ordinary users.

What is affected?

Just about every Intel processor currently in-use, and many ARM and AMD processors:

Meltdown

• Intel processors (except Itanium and pre-2013 Atoms) since 1995
• ARM Cortex-A75, Cortex-A15, Cortex-A57 and Cortex-A72

Spectre

• Intel processors (except Itanium and pre-2013 Atoms) since 1995
• ARM Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75
• AMD's Ryzen family, FX and Pro

What is not affected?

The Raspberry Pi (all models) does not use the affected ARM processors.

What Should I Do?

Install the updates as soon as possible.

The vulnerability note from CERT/CC initially advised replacing the processor, but the note now advises applying updates to the operating system and some applications.

The initial advice was accurate, but unhelpful. These are Design Flaws, so the only real fix is to replace the processor with a better-designed one. However, even if the cost of replacing the processors in almost every computer and device was not astronomical, it is not possible in a reasonable timescale because the replacement processors are not available, and many devices have the processor permanently attached to the circuit board.

The revised advice is workable. If there is no update for your computer or device now, be prepared to install it as soon as it is released.

What are the Design Flaws?

Modern processors are extremely complicated, and processor designers are always looking for ways to make our computers run faster. They also need to enforce security, so when a user (well, a program run by the user) asks for some information, that request is given to the operating system (e.g. Windows, Linux or OS X) and the operating system checks whether the user is allowed to access that information. A design trick known as speculative execution allows a processor to execute some instructions out of order, in anticipation of a future decision, but to ignore the results if the decision went the other way. Speculative execution doesn't enforce the operating system restrictions of which program is allowed to see which data, the check happens later. The flaws are ways that a program can use speculative execution to ask for data it shouldn't be allowed to see, and then still observe an effect even though the decision went the other way and the results were 'ignored'.

So what does that mean?

One malicious program can access the data of any other program on your computer.

Is that important?

You only install genuine software and you run anti-virus, so all your software is trusted, therefore you might think you have nothing to worry about. However, there are a lot of programs that your computer runs that are not so trusted. For example, many webpages include programs, usually to make the page "cooler". It was assumed that because these programs were run inside a special environment in the web browser, they couldn't access sensitive information. By using these flaws, a webpage could try to steal your passwords, your cryptographic keys or your bitcoin wallet.

Will my Anti-Virus Save Me?

There have been no reports of this being exploited by malware yet. However, the flaws can be exploited in many ways so it seems unlikely that there could be a single malware definition that could recognise any exploit. So, if malware using these flaws appears, then anti-virus developers will quickly add specific detection but we won't have blanket protection.

You're saying this is a Very Big Deal, why are many reports less worrying?

The manufacturers, particularly Intel, have made a massive blunder in pursuing speed without realising the security implications. Their PR is carefully describing the problem in the least-damaging terms while still remaining technically accurate. Even so, share prices have been badly affected. For the purposes of this article, who to blame and the value of a company are irrelevant, the important thing is what should you do now? You should install the updates as soon as possible.