On January 2, 2018, data on vulnerabilities of the majority of modern processors from Intel, AMD and ARM came into common access.
Using these vulnerabilities, attackers can access personal data of users (from passwords and credit card data to bitcoins of purses).
Such attacks received their names — Meltdown and Spectre. Briefly tell you what it is, what threats and how to secure your computer from it.
The essence of the problem and the risks for the Internet users
Physically, processors are not at all at risk. The whole problem lies in architecture, that is, in the algorithm of work. It was previously thought that two programs running on a computer work in isolation and do not have access to each other’s data. This also applies to two parallel tabbed browsers, in one of which you entered credit card details when you paid for your favorite band’s concert tickets. As it turned out under certain conditions, you can get system protection, use architectural vulnerability and get the processor processed data.
Meltdown allows you to access system memory using running applications. Spectre clears the line between parallel running applications and opens data to one another.
What computers can suffer?
Every day, the number of processors subject to attack is increasing. Key processor manufacturers (Intel, AMD, and ARM) have already stated the seriousness of the current threat. Today, almost all computers, regardless of the type of operating system (Mac OS, Windows, etc.), are at risk.
The most likely chance to get a malicious code from the outside is through a browser that has access to vulnerable memory locations during the process.
All users with current browser versions can launch Meltdown or Spectre. Absolutely any user can easily, without knowing about it, by clicking on the advertisement or the link to lose personal data, passwords, etc.
Versions of browsers at risk:
- Chrome 60+ (126.96.36.199)
- Firefox 46+
- Safari 10.1
- Edge Fall2017
How to secure your data and what solution already exists?
Most processor manufacturers are motivated enough to correct the situation (Intel shares fell a couple of points after the scandal, AMD received a class action lawsuit for hushing up this problem) and try to release a software update for the system as soon as possible, which minimizes the risks of using the architectural vulnerability.
Improving the work of the processor core can minimize the threat of Meltdown. Quickly does not mean high-quality solutions developed in haste leave much to be desired. The KAISER patch can slow down some Intel processors by as much as 5–30% for some processes. (Wired) In this case, the processor manufacturer acknowledged that there are errors in the urgently updated update. They are manifested in the work of systems on the generations of Broadwell and Haswell, resulting in a “more frequent than usual reboot.” Now Intel will release a patch for the patch. (Reuters) KPTI Patch for Linux is expected to lead to a decrease in performance also from 5% to 30%. (Phoronix) This is due to the fact that now a number of tests that load system performance will be launched into the list of processes.
In order to solve the Spectre problem completely with minimal consequences for ordinary users, it may take more time. In this case, older computers are likely to be bypassed by manufacturers.
Browser developers also announced work on solving their own vulnerabilities, through which you can access data. However, it is not known when exactly updates of popular browsers will block the execution of unwanted code.
To protect your computer, you can wait for system software updates and new versions of browsers. In addition, download a new video adapter driver, which may also be vulnerable to Spectre attacks. You can download the Spectre Meltdown CPU Checker to check if the system is vulnerable. At the same time, until the updates, the system remains vulnerable and it is not known when and how much the future updates will deal with the problem.
You can download the version for Chrome here.