Saturday, 03 March 2018 16:36

Bugs in the system - Meltdown and Spectre, what do you need to know!

Sorry but this will be a long post but could easly be far longer, if the title means nothing to you then I strongly suggest you read this as it could affect you as hardly any computers are free of these bugs.

Some of you may have heard of Meltdown and Spectre, others haven’t a clue on what I’m talking about, but this is something everyone should be at least aware of as long as you have anything with a processor from the last 20 years, which I assume is everyone.

 

First, what are they?

Meltdown is a bug which affects Intel x86 processors, IBM Power processors and some ARM-based processors (found in many mobile devices). It allows malware, viruses and other applications access to read your computers memory even in encrypted or secure sections without authorisation.

Spectre is a bug that affects nearly all processors no matter what manufacturer, however it’s also not just one vulnerability but several. In order to achieve the speed we come to expect from our processors they have relied on a process called speculative execution where the processor tried to predict what comes next and if it’s correct, it saves time. If wrong, the work is disregarded and you never need to know. How this bug is exploited is through something called a side channel attack, it can go after your encrypted data in a similar fashion to meltdown but instead of reading the information directly it can trick the processor into revealing the data on its own.

 

How are they exploited? 

Meltdown, while being the most easily exploited bug it has also been the easiest to fix, at least at software level. Updates to operating systems from Windows, macOS, Linux, iOS and others patched a fix preventing this bug being exploited. While early versions of the patch did come with several problems it is now considered safe, but it is far from a perfect fix. In order to fix the bug it has stopped or restricted several features of modern processors which give them the performance we have come to expect. Some people are finding that the hit to performance can be between a 5-30% reduction in certain specialised workloads. While this will not have a major impact on the majority of the general public, there are those which rely on these processes as part of their business which will be hit. In order to fix the problem permanently it requires a physical change to the processor itself which won’t happen until later this year at best and more likely to be part of next year’s releases.

Spectre, while being even more difficult to time an attack to make use of the speculative execution there are two ways it could be exploited. The most worrying is the use of JavaScript’s. While this may mean nothing to most people, JavaScript’s are used by the majority of websites. This means it would only take one website with a compromised script to gain access to that data. As of yet no reports of this kind of attack have been reported but its only a matter of time before that happens. The problem is, this part of the bug cannot be fixed by a simple windows update. To fix the bug in all current systems a firmware BIOS update from the motherboard manufactures themselves has to be issued with the patch. This means one big can of worms. Mac’s should be okay, Apple is able to update the firmware as part of their system updates. With PC it's not so easy, some manufactures have issued patches but had them pulled when flaws were discovered in the fix issued by Intel, while the new version seems to be safe it is only rolling out to a few motherboards which are the latest and most expensive of ASUS, MSI and Gigabyte. These patches can come with significant performance hits especially on older computers, even the newest intel 8th generation have shown 2-14% drops in some benchmarks. With so many variations of boards, so many manufactures and boards that go back 10 years and beyond, it’s impossible for every computer to be patched as there is little incentive to do so and most casual users don’t know how to flash install a BIOS. I even doubt many users even understand what going on which is why this post was written. If this exploit gets to the point it is being used worldwide it will leave many with only one truly safe option, buy a new computer but that’s not option for most.

That is why Intel has already been hit with several lawsuits over these flaws, to some cases frivolous, in some cases completely understandable as if you have invested your money into a computer, one that will not receive this update leaving a new computer as the only safe option.

 

What is our advice to you?

Our advice is clear and should be general good practice for anyone, make sure you have your operating systems automatic updates on, that all your software and browsers are up to date, don't click on unknown links to sites, have adequate virus protection and avoid questionable sites. While HTTPS is no guarantee of a 100% safe site it is an indication that you are using an encrypted site to a verified and secure server as you can see from this site. If you know your motherboard details then look up if any patch has been issued and if so the manufacturer should have instructions on how to do it. Please be careful and follow the instructions carefully as a problem with BIOS updates can turn your computer into an expensive paperweight if not done right.  

If you are worried that your computer may be vulnerable or want any help implementing the good practice, comment, email or phone us for free advice and help. If you require your BIOS to be updated and don’t know how to do it you can book an appointment to have it done for you if one exists or if you want to give your system a full service and security check up we can do that too.

Read 310 times Last modified on Sunday, 04 March 2018 11:31

Leave a comment

Why not leave us a comment, make sure you fill in any (*) details below.

­