meltdown and spectreJust days into 2018, two critical cybersecurity exploits impacting numerous tablets, smartphones, computers and other devices were reported by security researchers. It’s been found that many of the CPUs (Central Processing Units) within most modern computer systems are vulnerable to at least one of these two flaws, dubbed “Meltdown” and “Spectre.” Given that CPUs serve as the “brain” of modern devices, it cannot be overstated how significant these exploits are, as they can compromise your devices and data. Keep reading to learn what you need to know about the Meltdown and Spectre exploits, including how they impact you and what actions you can take to secure your devices.

What exactly is a CPU?

To make sense of these exploits, it’s important to have some understanding of computer hardware. A CPU, sometimes referred to as a processor or microprocessor, is a hardware component that sits within the motherboard of a system, where it communicates with many of the other components of a device. Its role is to interpret and execute the instructions that allow you to run programs on your device. CPUs aren’t just in computers and laptops, but they’re also in a number of other devices, including smartphones and tablets, with Intel, AMD (Advanced Micro Devices) and Arm being the largest producers of this component.

What is Meltdown?

Meltdown is an exploit specifically affecting systems with Intel CPUs, which include the vast majority of laptops and desktops, given Intel’s domination of the computer microprocessor market. Meltdown exploits a feature of modern CPU design, known as speculative execution, which allows CPUs to do tasks ahead of time by “guessing” a potential chain of instructions before they’re actually executed by the CPU. The technique is a way of getting faster performance from CPUs because when the CPU guesses right, an entire chain of instructions can be executed, as opposed to just executing individual instructions one at a time. Unfortunately, the CPU’s guesses, right or wrong, at some point are stored in the system’s memory, which is something taken advantage of by both Meltdown and Spectre. For Meltdown, because of the way Intel chips are currently designed, there may be cases when Intel processors fail to distinguish between low-privilege processes and processes that require access to more sensitive aspects of a computer’s operating system. In theory, a malicious actor can use this exploit to create a program that will allow them to get a glimpse of data that should be otherwise protected and hidden within a portion of the operating system called the kernel. Since the kernel is essentially the behind-the-scenes manager of all of your programs, accessing it would allow a hacker to see whatever they wanted on your system, including your personal data.

Google Project Zero, the noted cybersecurity research group which helped discover both Meltdown and Spectre, says that “effectively every” Intel processor released since 1995 is vulnerable to Meltdown. Unfortunately for computer users, most Windows computers usually come with Intel processors, and in the mid-2000s Apple integrated Intel chips into their computers. Additionally, even though Intel hardware currently has a relatively small presence in smartphones, it seems like some mobile systems, like mobile versions of Windows and iOS, might still be affected by Meltdown. Most computers and laptops come with stickers detailing their internal components, but if you use other devices or if you’re uncertain about the hardware your particular device uses, you should be able to view those details from your device’s operating system. To learn more, Google how to do so on your particular device or system. Alternatively, if you know your device’s name and/or serial number, you can Google the components of the device to confirm that your system is vulnerable to either of the exploits.

What is Spectre?

Spectre is an exploit related to Meltdown, as it also abuses speculative execution, but its impacts are much broader, harder to mitigate and more difficult to pull off. Whereas Meltdown allows hackers to passively benefit from Intel’s particular implementation of speculative execution, Spectre requires actively tricking other programs into sharing the contents in their memory through speculative execution, something that requires more expertise. Sadly, unlike Meltdown, the exploit seems to be effective in not only Intel chips, but also in AMD and Arm chips, as well. While Intel chips are predominately used within desktops and laptops, these other manufacturers make CPUs for a wide range of products. Furthermore, because of the nature of the exploit, it’s possible that there will not be a way to patch it for some time. These factors create a high degree of uncertainty that both developers and consumers will have to deal with going forward.

How can I stay safe?

Developers are currently issuing patches for Meltdown, but, as stated above, Spectre will be far more difficult to address. It’s also worth noting that while Meltdown can be patched, since it’s fundamentally a hardware problem, software patches aren’t so much eliminating the problem as simply working around it. Still, patching will be more than enough for you to stay safe. This is why it’ll be of the utmost importance to update the software running on all of your devices in the coming days and weeks. Most major operating systems, like Windows and Mac OS X, already have updates designed to address Meltdown, but make sure to keep an eye out for patches for any other systems and programs.

Is there anything else I should know?

There are claims that some of the updates designed to address Meltdown will slow down performance in systems by as much as 30% because they hamper the fluidity of speculative execution. While that’s true, for the average user that likely won’t be a problem, as the patches are mostly affecting the way CPUs engage in processes requiring kernel access. Services like social media and even intensive processes like gaming don’t require the CPU to repeatedly access the system’s kernel, and sites are noting that there aren’t really any noticeable performance dips for most programs. Similarly, you should ignore claims suggesting that consumers have to throw out their devices. Although CPU architecture will eventually have to be physically redesigned to completely eliminate these problems, from what has been observed, software patches are sufficient for mitigating the worst aspects of Meltdown and possibly some aspects of Spectre.

What we can learn from these exploits

Although 2018 has just begun, these speculative execution exploits will possibly stand out as some of the year’s worst. Like last year’s CloudBleed and KRACK, even though there’s no evidence of these exploits being used in real hacks, the fact that systems can contain such deeply embedded insecurities is unnerving. The only thing we as consumers can do is to make sure that we continue to practice good cybersecurity habits, regardless of what new exploits are discovered.

For more information about developing technology news and trends, continue reading our technology blog.