Meltdown and Spectre

January 24, 2018 Comments Off on Meltdown and Spectre
Meltdown and Spectre

Meltdown and Spectre are software vulnerabilities – simple bugs that have been hiding in computers for decades. But their effects could be devastating for users all over the world, using computers and operating systems of nearly all types.

New zero-day vulnerability: In addition to rowhammer, it turns out lots of servers are vulnerable to regular hammers, too.

The popular webcomic xkcd explains how Meltdown and Spectre work, in plain language.

What are Meltdown and Spectre, and how do they work? First of all, they’re security vulnerabilities that are based around a technique used by modern CPUs (the brains of a computer) for over a decade. The technique is known as speculative execution, and it is used to optimize performance. Basically, the computer carries out a process before it is requested, because it is possible that the user will request it in the future. By doing it ahead of time, there is less of a delay when the user actually does request the information. If the user doesn’t request the information at all, it is deleted and can neither be accessed nor affect any other process… at least in theory.

The problem with Meltdown and Spectre is that these unused pieces of information can be accessed by hackers, which they can use to look at other information in the computer’s memory. This enables them to steal other, private data from the rest of the programs running on the computer. As a result, your personal files, emails, passwords, and sensitive information could all be potentially compromised in an attack. The worst part is, it could all happen without you knowing. The exploit wouldn’t leave any traces in the computer’s log files, and the process would be invisible to the user. For this reason, Meltdown and Spectre are extremely dangerous. It is still unknown whether this type of exploit has been used “in the wild” for malicious purposes.

Both vulnerabilities are very similar in how they work, but there are slight differences. Meltdown allows a hacker to break the isolation of each program and the operating system, so the entire computer’s memory can be accessed at once. Spectre breaks the isolation between individual programs and tricks them into revealing information. Spectre is harder for malicious hackers to take advantage of, but it is also harder to stop.

Nearly all computer users are affected by Meltdown and Spectre. Intel and ARM processors have been tested and found to be vulnerable to Meltdown, and it is unclear whether AMD processors are vulnerable as well. Spectre has a wider range, with vulnerability confirmed for Intel, ARM, and AMD processors. Apple has said that the Apple Watch is not affected, and has released patches in iOS 11.2, macOS 10.13.2, and tvOS 11.2. For ordinary users, Meltdown and Spectre will almost certainly have affected most, if not all, of their devices. Laptops, cloud servers, and smartphones are all vulnerable, in addition to .

As information and awareness about Meltdown and Spectre have spread, software patches have been released to mitigate the danger for users. Other companies like Google and Apple have released statements informing customers of steps taken to ensure security. An official site,, has more detailed information about the vulnerabilities, including their discovery by several independent teams, specifics on what computers are affected and what software patches have been released, and links to other official sources.

In the meantime, affected users should immediately install patches to mitigate the risk of an attack. Since Meltdown and Spectre are based in a CPU’s inherent structure, there cannot be a complete fix for them without developing new hardware. In the meantime, you should make sure you are checking for updates, running antivirus software, and staying informed. Keep in mind that although updates may worsen the performance of your computer, safety and security are the most important thing.

Related Posts Plugin for WordPress, Blogger...

Related Posts

Comments are closed.