Meltdown and Spectre

There has been a lot going on in the computer industry over the past several weeks. CES 2018 is a big deal, and has brought a flood of news including Intel’s new 8th generation Core CPUs with integrated Radeon graphics (you can read more about those here). But the big headlines have been Meltdown and Spectre, the security bugs that have the entire industry on edge. Should you be worried? What exactly are Meltdown and Spectre? And what should you be doing to protector your computer, smartphone and tablet? The situation continues to develop, but here’s everything you need to know at this point.

What Are Meltdown and Spectre

Meltdown and Spectre are two different (but related) vulnerabilities. They were discovered by a team that includes university researchers and members of Google’s Project Zero. Both vulnerabilities are related to the way CPUs use system memory and both could allow an unauthorized application (malware) to access data that’s currently stored in RAM. That data could include very sensitive information, ranging from passwords to mission-critical documentation. These vulnerabilities are based on the hardware itself—specifically CPU architecture—which is why they were so difficult to discover, and why they are so pervasive.

And because these vulnerabilities are at the hardware level, the operating system doesn’t provide complete protection. Any solution to eliminate these vulnerabilities requires both OS-level software patches, and firmware upgrades.

Meltdown and Spectre

What devices are affected by Meltdown and Spectre

At this point, Intel processors released since 1995 have been pinpointed as being affected by Meltdown. So computers are the devices primarily at risk. Spectre has a much bigger net, affecting Intel, AMD and ARM-based processors. That means PCs, tablets and smartphones could all be affected.

While the scope of the devices affected by Meltdown and Spectre is alarming, one of the key takeaways is this: both are vulnerabilities, but at this point there have been no exploits identified that actually take advantage of them.

So yes, a very big deal, but it’s also not a reason to panic. At least not for most individuals. Companies operating data centres and cloud servers are the ones that are the most at risk at this point. Cloud computing means multiple applications sharing a CPU on a server, and that’s where the risk of an exploit that could steal data from the system memory allocation for other applications is a real concern.

However, the computer industry is working together to take action ….

Meltdown and Spectre Patches

You name a major player in the computer industry and they are working together on dealing with Meltdown and Spectre to prevent a crisis.

Intel, AMD, Qualcomm, Microsoft, Apple and Google—along with other players—are sharing information, and working together to address the vulnerabilities. Patches are rolling out for Meltdown and one variant of Spectre. The second variant of Spectre that’s been discovered may require additional firmware updates, but that has not yet been finalized. During its CES 2018 keynote, Intel said that it will have Meltdown and Spectre fixes available for 90% of its processors released over the past five years, within a week.

Microsoft released a Windows 10 update that includes a security patch. It’s also rolling out firmware updates for its own Surface devices. Apple included a Meltdown security fix in the latest versions of macOS and iOS, and is expected to release firmware updates for Mac computers. The company also released updates for tvOS (there’s an ARM-based CPU inside the Apple TV). Google released a security patch for Android and confirmed additional measures are coming. Google also says an update for Chromebooks began rolling out in December.

Web browsers have also had fixes implemented, with Firefox, Safari, Explorer and Edge getting updates. Google is working on a security update for Chrome.

Cloud service providers including Microsoft and Google were among the first to install fixes at their data centres.

What About Security Software

As mentioned, Meltdown and Spectre are vulnerabilities, not exploits. Security software protects your computer and mobile devices against malware that exploits vulnerabilities and there hasn’t yet been a report of code discovered in the wild that does this.

Meltdown and Spectre and security softwareHowever, that doesn’t mean security software companies are standing still. They’re on high alert and many of them have begun releasing updates that include some defences against malware that could potentially take advantage of the vulnerabilities. Norton, Microsoft’s Windows Defender and others have already confirmed they have released patches.

Will My PC Slow Down?

The prospect of Meltdown and Spectre posing a potential danger to computers has in some ways been overshadowed by reports about the cost of the fix.

As a PC owner, it’s not a financial cost. However, the effort to quickly shut down the vulnerabilities has resulted in reports of computers taking a performance hit. Microsoft and Intel have both admitted to the issue, however, it is far from universal. Here’s what we know at this point:

  • Servers are seeing the worst effect since the the slowdown is most noticeable during high performance loads. Up to 30% performance reduction has been reported and some online services are being forced to add additional PCs to make up the difference (gamers reported Fortnite was particularly slow, for example, and Epic Games traced the hit to the installation of the Meltdown patch).
  • Microsoft says the hit to PCs equipped with Haswell or newer chips running Windows 10 tops out at single-digit slowdowns and during typical use shouldn’t even be noticed. However, older PCs and those still running Windows 7 and Windows 8 may well notice a performance degradation as a result of the Meltdown fix.
  • Microsoft halted the rollout of the Meltdown fix altogether to AMD computers when it was discovered the fix was making some PCs unbootable.

We are still in the early stages and these patches and fixes have been released as quickly as possible. Expect optimization to eventually reduce those performance hits.

Meltdown and SpectreThe Bad News

Out of all this, the bad news really is Spectre. The companies involved have reacted quickly to Meltdown and the initial Spectre variant. However, that second variant is expected to be much more difficult to address. And there’s concern that there are more versions of it still hiding. At this point, there is speculation that Spectre may be an issue for years to come.

And that brings us to you. As in what you need to do to protect your computer, your smartphone, your tablet and any other potentially affected devices from both Meltdown and Spectre.

What Can You Do to Protect Yourself From Meltdown and Spectre?

Update, update, update … This situation is evolving rapidly and your first—and most important—line of defence is to make sure your devices are always updated. That means anything with an operating system, including computers, smartphones, tables and other devices like the iPod Touch or Apple TV. Install the latest version of the operating system, and install any security patches. Make sure you activate automatic updates so you don’t forget, because those updates are likely to continue coming as the situation develops.

In addition, now is the time to make sure each online or web-based service you use has a unique password. That means websites, but also cloud-based service like Netflix. The big targets for Meltdown and Spectre are likely to be data centres, so making sure each of your accounts has a unique password minimizes the risk to you if one of those services should ever be hacked.

And if you don’t already, Meltdown and Spectre should convince you to double-down on protection with security software for your computers and devices. If someone does figure out how to release malware that exploits the vulnerabilities, security software will make sure it doesn’t make its way to your systems.

Still not sure of what you need to do? Drop into your local Best Buy where Geek Squad Agents and Blue Shirts are prepared to answer any inquiries from customers. In addition, if you are covered by Geek Squad Protection or Geek Squad Home, they will assist you with any required updates.

In a Nutshell: Don’t Panic, But Take Precautions

There is a lot of noise about Meltdown and Spectre right now. There’s no doubt that they are a very big deal and will continue to be for some time.

However, as of now there has been no criminal activity linked to the vulnerabilities and no malware identified that takes advantage of the situation. The world’s biggest tech companies—including Google, Microsoft, Apple and Intel—are all over the issue. Enterprise computer users, data centres and cloud computing services are on high alert, since their shared computer setup puts them at the highest risk of attack.

As the personal owner of a computer, smartphone or other devices, your primary concern is ensuring your operating system is up to date, security patches are installed and your passwords follow best practices. Having third party security software protecting your devices is never a bad idea. And as always, back up your system, either in the cloud or to an external hard drive. And breath … Meltdown and Spectre are a wake-up call, but not the end of the world.

Brad Moon
Brad Moon
Editor Computing solutions
I’m a long-time electronics and gadget geek who’s been fortunate enough to enjoy a career that lets me indulge this interest. I have been writing about technology for several decades for a wide range of outlets including Wired, Gizmodo, Lifehacker, MSN, About.com, Kiplinger, and GeekDad. I’m in my 10th year as a senior contributor for Forbes with a focus on reviewing music-related tech, Apple gear, battery power stations and other consumer electronics. My day job is with the Malware Research Center at AI-native cybersecurity pioneer CrowdStrike.
Twitter Youtube

RELATED ARTICLESMORE FROM AUTHOR