What Are "meltdown" and "spectre" and Why Should a Business Care?

• Citation: Vol. 1 No. 3
• Publication year: 2018

Nicholas R. Merker and Matthew A. Diaz^*

The authors of this article discuss the cybersecurity risks associated with "Meltdown" and "Spectre," two hacking techniques that circumvent the security measures in place to protect the raw, unencrypted data during computer processing, and what businesses can do about it.

Recently, many people have been hearing the words "Meltdown," "Spectre," and "cybersecurity risk" spoken in the same sentence. But how worried should you really be? Below is a summary of what you need to know about Meltdown and Spectre and how to proactively protect your computer and data.

When Were the Vulnerabilities Found, and Why Did it Take so Long for Me to Find Out?

It may surprise you to learn the Meltdown and Spectre vulnerabilities were discovered in the summer of 2017.¹ However, it was not out of negligence that the tech industry did not inform the public of the issue. Waiting to make these major vulnerabilities public is common practice among the tech industry.² This delay allowed the tech companies time to develop patches to address the vulnerabilities. Furthermore, by not making these findings public earlier, the tech industry prevented hackers from learning about the vulnerabilities and exploiting them for malicious or criminal purposes.³

What Part of My Computer is Affected?

It is important to highlight that the Meltdown and Spectre vulnerabilities are neither hardware problems with the CPU nor software bugs with an application.⁴ Rather, these issues occur at the processor level in how computer instructions are carried out.⁵

[Page 193]

There are "inviolable" spaces in the computing process where data passes through in a raw, unencrypted form.⁶ At that level, there are powerful protections in place to prevent this transfer of data from being interfered with or seen by any other processes or applications.⁷

What has happened is researchers have discovered two techniques—Meltdown and Spectre—that circumvent the security measures in place to protect the raw, unencrypted data during processing.⁸ This data can include passwords, proprietary information, or encrypted communications.⁹

What Do Meltdown and Spectre Even Mean?

Meltdown primarily affects most Intel processor chips as well as high-performance ARM chips.¹⁰ Meltdown affects the core part of your computer's operating system—the "kernel"—which handles the coordination of data by moving data between different sorts of memory on the chip and elsewhere in the computer.¹¹ This kernel also segregates and protects memory spaces and prevents applications interfering with other data, as well as prevents malicious software from seeing and modifying the data.¹² The Meltdown vulnerability allows hackers to access the kernel and see the information being transmitted, such as your password or sensitive communications.

Spectre affects chips made by Intel, AMD, and ARM, as well as likely affects every other processor on the market that offers the computing process known as "speculative execution."¹³ Effectively, this vulnerability becomes broader than Meltdown by encompassing mobile phones, embedded devices, and essentially anything with a chip, including thermostats and baby monitors.¹⁴ Spectre allows hackers to "trick" applications into disclosing information that is normally protected in a computer's memory by exploiting the speculative execution process.¹⁵ The Spectre vulnerability will essentially leak data that is usually secured and protected.¹⁶

Why Should I Be Worried?

You need to worry about these threats because they likely affect your computer and devices. In total, Meltdown and Spectre affect

[Page 194]

billions of computer systems around the world from mobile phones to desktop computers.¹⁷ The Meltdown vulnerability is said to be "patchable"¹⁸ by building stronger security measures around the kernel, but at a cost—a reduction in your computer's processing speed of anywhere from five percent to as much as 30 percent.¹⁹ The Spectre vulnerability, unfortunately, is not likely to be completely fixed in the near future.²⁰ Since Spectre targets the speculative computing process of your computer, a patch is harder to develop. Systemic fixes have been developed for some aspects of Spectre, but the only real resolution to the vulnerability would be to completely redesign the chip processor, which would take years.²¹

What Can I Do About It?

Unfortunately, users individually can do very little at this point to avoid these security flaws since they are happening "under the hood" so to speak.²² However, patches have already been released by Microsoft and Apple, as well as other tech companies to address the Meltdown vulnerability.²³ The Spectre vulnerability, on the other hand, will take time to patch due to its unique vulnerability. Forbes is maintaining a list of patches being released by all the major tech companies in response to Meltdown and Spectre.²⁴

The important thing to remember is you should check your computer and devices for any software updates, whether you are an individual user or someone responsible for a major IT network.²⁵

What if I Run a Business? What Should My IT Professional Do?

Beyond the installation of the above-mentioned patches, it has become a common business practice to employ something called a "patch management program." If this is the first time you are hearing this phrase, it's time to listen up!

A patch management program is a strategy that businesses and other organizations with sophisticated IT systems use for managing patches or upgrades to software applications and other technolo-gies.²⁶ A patch management program will include the acquisition, testing, and installation of multiple patches to a computer system.²⁷ But the program is far more sophisticated than just these tasks.

[Page 195]

Fred Avolio in a TechTarget article distilled the patch management process into six general steps:

1. Develop an up-to-date inventory of all production systems (including operating system ("OS") types and versions, internet protocol ("IP") addresses, and other critical items);

2. Devise a plan for standardizing production systems to the same OS version and application software;

3. List all security controls your business has implemented;

4. Compare reported vulnerabilities against the inventory list;

5. Classify any risks and assess the vulnerability and likelihood of a cyber-attack; and

6. Determine which patches to deploy on your network.²⁸

There are two ways of implementing a patch management program. It can either be (1) manually administered by an IT professional in your business or (2) automatically managed by installing patch management software. Manual...