Friday January 5, 2018
Being a cyber security term, vulnerability refers to the flaws seen in a system which further make ways for hackers and malware. At the beginning of 2018, the IT industry is already scrambling to patch up with the major security vulnerabilities that have affected almost all computers in the world.
The two flaws naming- Spectre & Meltdown was found by the security researchers at the Project Zero at Google. The vulnerabilities could allow leaking of information from mis-speculated execution which further leads to arbitrary virtual memory across various local security boundaries. Vulnerabilities in this particular issue are affecting numerous modern processors including AMD, ARM, Intel, and Apple.
According to the researchers Meltdown (CVE-2017-5754) is considered to be one of the worst CPU bug found till date. This bug is primarily thought to affect Intel processors manufactures since 1995. Meltdown allows the hacker to get through the hardware barrier seen between the users and the core memory of the PC.
In the case of Spectre, the vulnerability is more widespread and seen affecting modern processors from AMD, Intel and even the ARM chips on mobile devices. This is considered to be more likely a much serious issue as it requires redesign of the processors to fix the problem in future hardware generations.
Both these vulnerabilities can be used by attackers to steal and spy on secure data like encryption keys, passwords etc. which are seen on the cache memory and also can access the recently processed data in the system.
The issues related to Meltdown and Spectre exist within the CPU of Windows, Android, Linux, iOS, macOS, Chromebooks and several other operating systems. A computer generally consist of huge amount of data and the core part of a computer’s operating system known as the kernel, handles the data synchronising process.
When data is in the cache, it is managed by the processor and, it is at this point that new vulnerabilities come into effect. Meltdown grabs information by simply snooping to the memory used by the kernel. And in the case of Spectre, it makes programs to perform unwanted operations which in-turn leaks data, that needs to stay confidential.
Both attacks exploit “speculative execution”, which prepares the results of a set of instructions to a chip. These results are then placed in one of the fastest bits of memory on the PC chip. Unfortunately, this can further manipulate the system bit by bit, therefore allowing the hacker to retrieve confidential data from a computer’s memory.
How is a Computer Targeted?
A hacker tries some kind of codes on a user’s computer in order to try exploit using Meltdown & Spectre. This can be avoided by the following steps:
Practically every computing devices including laptops, smart phones and even cloud computing systems are affected by these two CPU bugs. Every major technology companies have started working against Meltdown and Spectre to protect themselves and their customers.
On the whole, companies and individuals should apply available security updates before the problem gets worse.
There is not much that can be done to resolve this issue but it can be avoided in future by redesigning processors so that attacks becomes impossible. Processors, devices, drives, operating system and numerous other have evolved optimizations for security security risks. As the security problems rise in IT industry, the choices needs to be reconsidered and in many cases new implementations are necessary.