The Meltdown and Spectre vulnerabilities were discovered last year, but only disclosed recently to the public. Both vulnerabilities are of the same family. They fundamentally affect certain CPU designs with around 20-years’ worth of processors and certain upcoming designs cannot be classified totally secure.
To eliminate these vulnerabilities entirely will require a rethink of how a modern processor functions. However, it is very important to note that NOT all systems are affected. For example, no Teldat or bintec devices are affected at all.
At the heart of the vulnerability is a modern processing technique known as speculative execution. In other words, this technique involves the computer performing a task before it’s needed. Speculative execution went mainstream between 15 to 20 years ago, so many CPUs made in the last 20 years or so could be vulnerable.
An operating system also stores data in the cache. The security of this OS data is even more important to secure as it can literally hold the keys to your computer. When a computer processor (CPU) performs speculative execution, changes to the processor state can be detected and theoretically used to determine the location of secure data and steal it. Effectively, a malicious program could be able to read that sensitive information. Your passwords, encryption keys and more can potentially be stolen.
What is Meltdown?
Meltdown (official reference as CVE-2017-5754) is a vulnerability that breaks the isolation between apps and the OS. It affects many microprocessors, but not all. Thankfully, this vulnerability is easy to fix, although there is the possibility that the fix might impact the performance of a computer. Patches for Meltdown have already been issued for all major platforms. Updates are also coming out to other platforms.
What is Spectre?
Spectre (official reference as CVE-2017-5753) is a more widespread issue that breaks the isolation between programs and affects many CPUs made in the last two decades. Although on the plus side, Spectre is also very hard to exploit. The major stakeholders have already issued updates and patches for known Spectre vulnerabilities. As and when new vulnerabilities pop up, they will need to be fixed as well.
If the flaw is 20-years old, why wasn’t it discovered sooner?
CPUs are extremely complex structures and finding every single vulnerability in a particular design might very well take decades. Also, the CPUs were found to be vulnerable to so called side-channel attack. A side-channel attack is one that relates to the “physical implementation of a computer system” rather than an inherent weakness in design. Information like power consumption or sound can be sources of information. How does one defend or even test for something like that? It’s certainly not easy.
Am I safe and if not, how do I protect myself?
Borrowing a phrase from the seminal Hitchhiker’s Guide to the Galaxy, Don’t Panic! These vulnerabilities are incredibly hard to exploit and there is no known attack involving these vulnerabilities to date. Also, as long as you ensure that all your devices and programs are up to date, you can’t get any safer than you already are. If automatic updates are on, you don’t need to worry.
Will Spectre and Meltdown firmware updates affect performance?
The average user will not notice a difference, certain specialized services and workloads may get affected, however. Early reports suggested that the performance impact of the Meltdown patch for certain CPUs could be as bad as 50 percent, but thankfully, that doesn’t seem to be the case at all. Important companies in the IT sector have confirmed that the impact to their systems and devices has been negligible and others have confirmed that they are directly not affected at all by this issue.
Indeed, this is the case of Teldat and bintec elmeg. None of the Meltdown or Spectre vulnerabilities can affect our companies in any way whatsoever.