By Andy Li
If you wanted the quick answer, then yes, you probably should be — or at least be paying attention. For those of us that don’t follow tech that much, January for the tech world has been abuzz with two words: Spectre and Meltdown. They’re two computer exploits that can give an attacker the ability to read data in parts of the system that are normally completely secured and unreadable by conventional means.
Normally, data that’s being input and processed into a computer system, such as passwords, usernames and other sensitive information, isn’t readable straight from the these heavily restricted areas of the hardware. This is thanks to industry conventions and standards that require developers to ensure these areas are well secured and encrypted against prying eyes. But thanks to researchers at Google’s Project Zero and other independent research teams, these parts of the computer are now no longer as nearly secured as everyone once thought.
Being called “one of the worst CPU [computer processor] bugs ever found” by one of the researchers who originally discovered them, every major hardware and software vendor is currently in a frenzy trying to determine what should even be done with the exploits. That’s because they affect nearly every CPU within the last 20 years, with Intel CPUs being especially vulnerable.
This means that billions of devices are potential targets. While bugs and exploits are usual fare when it comes to technology, Spectre and Meltdown expose not just security problems with computer hardware, but inherent design flaws made by CPU developers trying to squeeze out as much performance as possible for their hardware. It comes as no surprise then that current fixes to these exploits come at potentially steep performance costs, with some major companies reporting up to a 30 percent performance decrease for their systems after applying fixes for the exploits.
As of now, Google and Amazon have already reported that their infrastructure has been secured against the exploits with minimal performance issues. Microsoft has had mixed results for Windows patches, where some AMD CPU users reported unbootable computers before a subsequent fix was pushed out to address the problem.
Meanwhile, Intel has remained vague in their plans to address the exploits, despite it being their CPUs that are affected the most by the exploits. Early attempts by Intel to fix the problem through firmware updates have been lambasted by some developers, including Linus Torvalds, as being “complete and utter garbage.” Longer-term solutions announced by Intel, such as the development of Spectre- and Meltdown-proof chips, have only raised more questions than answers as scant details have been given other than that they’ll be released later this year.
So the question remains: What can we, as normal consumers, do to protect ourselves against these threats? Unfortunately, even with current fixes, you won’t be protected from certain variants of Spectre. Keeping your system up to date, though, will go a long way in keeping you safe from becoming a victim of a new class of attacks. Use this tool created by the Gibson Research Center to determine if you’re still vulnerable: https://tinyurl.com/y98na5c4. Pay particular attention to your web browser and operating system and update those as soon as possible to the latest versions.
In the long term though, the only way to be totally rid of these exploits would be to replace the system with Spectre- and Meltdown-proof machines. However, with Intel still being the titular CPU in use for most computer systems and given how long many of us can hold on to our computers for, this will certainly be no simple task. So for now, while we can only wait and watch to see what the big players will do next, one thing’s for sure: Meltdown and Spectre will be haunting us for quite some time.
Andy Li is a member of the Information Technology Senior Seminar course and is planning on an eventual career in database administration.