Cybersecurity

The ‘Chipocalypse’ of Meltdown and Spectre

One sounds like a nuclear plant disaster, the other recalls a villainous organization from James Bond movies. They’re actually cybersecurity attacks that exploit vulnerabilities affecting almost anything that contains a computer chip.

alexey_boldin / iStock / Getty Images Plus / Getty Images

The issue was discovered shortly after the New Year, when security researchers discovered critical security flaws. As WIRED reported, “A bug in Intel chips allows low-privilege processes to access memory in the computer’s kernel, the machine’s most privileged inner sanctum. Theoretical attacks that exploit that bug, based on quirks in features Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer or smartphone. And on multi-user machines, like the servers run by Google Cloud Services or Amazon Web Services, they could even allow hackers to break out of one user’s process, and instead snoop on other processes running on the same shared server.

“On Wednesday evening, a large team of researchers at Google’s Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies including Cyberus and Rambus together released the full details of two attacks based on that flaw, which they call Meltdown and Spectre.”

While the two attacks operate on the same principles, there are subtle differences between them—while Meltdown makes it possible for malware to gain higher-privilege access to a computer’s memory, Spectre steals data from other applications’ memory on a computer. Meltdown appears to be limited to Intel chips; Spectre attacks not only Intel processors but also chips from AMD and ARM.

Such a wide-ranging cybersecurity flaw isn’t easy to fix, and many outlets have described the response to the situation as nothing short of a train wreck, and a lot of the heat has come down on Intel in particular. However, other companies such as Microsoft have not emerged unscathed, as Microsoft’s attempted chip fix bricked some PCs.

Most fixes will have an adverse impact on performance in one way or another, but older hardware is going to bear the brunt of the troubles. In an updated statement, Intel wrote that “Based on our most recent PC benchmarking, we continue to expect that the performance impact should not be significant for average computer users. This means the typical home and business PC user should not see significant slowdowns in common tasks such as reading email, writing a document or accessing digital photos. Based on our tests on SYSmark 2014 SE, a leading benchmark of PC performance, 8th Generation Core platforms with solid state storage will see a performance impact of 6 percent or less. (SYSmark is a collection of benchmark tests; individual test results ranged from 2 percent to 14 percent.)”

As if this wasn’t enough bad news, here’s a little bit more for you. The CEO of Arm Holdings, a major chip design company, says that vulnerabilities like Meltdown and Spectre will probably happen again. At CES 2018, Simon Segars said “The reality is there are probably other things out there like it that have been deemed safe for years. Somebody whose mind is sufficiently warped toward thinking about security threats may find other ways to exploit systems which had otherwise been considered completely safe.”

So how can you protect your devices and the devices of those in your workplace? CNET is keeping a running tab of fixes as they become available, covering everything from Android and iOS mobile systems to PCs, Macs, and various web browsers.