What to Do About the Vulnerabilities Found in Computer Processors

What makes these vulnerabilities so concerning?

Each vulnerability creates an opening for cybercriminals to siphon private information — login credentials, confidential files, and more. Once attackers get malicious code executing on a vulnerable processor, they can reach into other programs sharing that hardware and pull out data. Cloud platforms amplify this risk considerably.

Continue reading the main story

What's the significance of cloud platforms?

Major operators including Amazon, Microsoft, and Google run these services, letting businesses and individuals tap into processing power remotely. Typically, a single physical server hosts workloads from numerous customers at once. With the Meltdown weakness, an attacker can simply deploy their own code on a cloud instance and then harvest information belonging to other tenants on that same physical hardware.

Continue reading the main story

What about smartphones and personal computers?

Personal devices and computers present tougher targets. To leverage these processor weaknesses, attackers first need a foothold on your device. Common tactics include duping users into installing a rogue app from a mobile marketplace, or luring them to a webpage that silently deposits malicious code.

Continue reading the main story

Are companies working on solutions?

Efforts are underway. A software patch can address Meltdown directly. Microsoft has already shipped a fix for Windows machines. Apple announced patches for iOS, macOS, and Apple TV that reduce exposure. Intel is developing its own updates to tackle the vulnerability. Now the responsibility falls on individuals and organizations to deploy these fixes.

Continue reading the main story

What can consumers do?

Stay current with all software updates — your OS, browser, and security tools included. Microsoft, Mozilla, and Google have issued browser patches for Internet Explorer, Firefox, and Chrome respectively. Security professionals also recommend running an ad blocker, since even major sites can unwittingly serve hostile code through advertising networks. uBlock Origin is widely favored among security researchers. "Advertising is the core issue — it's risky," noted Jeremiah Grossman, who leads security strategy at SentinelOne. "These are full applications, and they can deliver malware."

Continue reading the main story

How do I update my software?

Most operating systems and applications include an option to search for available updates. In Chrome on desktop, for instance, hit the three-dot menu in the top-right and select Update Google Chrome. For Windows, hit Start, then navigate: Settings → Update & security → Windows Update → Check for updates. On a Mac, launch the App Store and look under the Updates tab. Act quickly — last year, the WannaCry malware spread across hundreds of thousands of Windows systems. Microsoft had pushed a fix beforehand, yet countless machines remained unpatched.

Continue reading the main story

What's happening with cloud services?

Amazon, Google, and Microsoft report they've patched the bulk of the servers backing their cloud offerings, which substantially mitigates the risk. However, both Amazon and Google note that customers may need to take extra steps. Cloud providers allocate capacity through "virtual machines" — essentially software-defined computers. Tenants run their workloads inside these VMs. Once providers update the underlying infrastructure, customers may still need to patch the operating systems within their own virtual machines to close remaining attack paths.

Continue reading the main story

Will updating everything resolve the issue?

Not entirely. The Meltdown researchers found that patches can drag performance down by up to 30 percent under specific workloads — a meaningful concern for large-scale cloud operations. Independent developers testing patched builds of Linux — the open-source OS now powering more than 30 percent of global servers — observed comparable slowdowns. "In numerous scenarios there's no measurable hit," explained Andres Frome, a developer who has evaluated the new code. "However, for workloads like payment processing, where frequent small data updates happen, expect a noticeable performance cost." Everyday users will probably see little impact, and Mr. Kocher suggested the slowdown should lessen as patches mature.

Continue reading the main story

What's the situation with Spectre?

The research team — which includes specialists from Google, the memory chip maker Rambus, and several universities — reports that Spectre cannot be fully eliminated. Yet certain patch deployments do neutralize specific attack scenarios. Intel, Microsoft, and others have echoed this assessment.

Continue reading the main story

Can Spectre actually be patched?

The researchers confirm that's accurate. However, exploiting Spectre demands considerably more effort from attackers than Meltdown does. Like Meltdown, Spectre enables one program to lift secrets from another — a downloaded app, for example, could swipe credentials from elsewhere on the system. On Wednesday, the Department of Homeland Security published a bulletin stating that fully replacing processors would be the only true remedy for both Meltdown and Spectre. Given the sheer volume of affected hardware, however, that's unrealistic. "Spectre will stick around for years," Mr. Kocher warned. Donald Parker, an Intel vice president, insists the company's processors don't require replacement. He argues that software patches combined with "firmware updates" — modifications to the chip's own code — can sufficiently "address the issues."

Continue reading the main story