The revelation of a previously undiscovered vulnerability at the heart of nearly every modern computer caused shockwaves at the start of 2018.
But what are the Spectre and Meltdown security vulnerabilities, and how do they affect you? This guide—which will be regularly updated—will tell you everything you need to know about Spectre and Meltdown.
Update in February 1, 2019: Check out our new Spectre and Meltdown cheat sheet.
What are Spectre and Meltdown?
They are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone—allowing hackers to read sensitive information, such as passwords, from memory.
Malicious code running on a computer or even in a web browser could exploit these vulnerabilities to access information held in protected memory.
Meltdown could prove particularly dangerous on unpatched cloud platforms, due to the possibility of malicious code inside a virtual machine being able to read data from the memory of the underlying host computer, with the threat that one cloud customer could steal data from another.
- Intel CEO: New chips will have built-in protections against Meltdown, Spectre (TechRepublic)
- Intel, Arm, Microsoft, Amazon and Google face grilling from US lawmakers over Spectre and Meltdown secrecy (TechRepublic)
- Intel: Don't install our Spectre fix, risk of unwanted reboots is too great (TechRepublic)
- Intel chips have critical design flaw, and fixing it will slow Linux, Mac, and Windows systems (TechRepublic)
- 26% of organizations haven't yet received Windows Meltdown and Spectre patches (TechRepublic)
- Meltdown-Spectre: More businesses warned off patching over stability issues (ZDNet)
- Intel halts some chip patches as the fixes cause problems (CNET)
Who does Spectre affect?
Practically every PC, server and smartphone is vulnerable to attacks that exploit the Spectre flaws.
Because Spectre-related attacks exploit the fundamental design of modern processors they could affect far more processors than Meltdown. All of the major processor manufacturers have a wide range of processors vulnerable to Spectre-related attacks, including those from AMD, Arm and Intel.
Only older chips, such as those used in the $35 Raspberry Pi 3, aren't vulnerable to Spectre-related attacks.
- Emergency Windows update will stop random PC reboots caused by Intel's Spectre fix (TechRepublic)
- Spectre flaw: Dell and HP pull Intel's buggy patch, new BIOS updates coming (ZDNet)
- Spectre-Meltdown glitches: Intel warns that new PCs, servers also risk unexpected reboots (TechRepublic)
- This fake Spectre/Meltdown patch will infect your PC with malware (TechRepublic)
- Spectre and Meltdown: Insecurity at the heart of modern CPU design (ZDNet)
- How to protect yourself from Meltdown and Spectre CPU flaws (CNET)
Who does Meltdown affect?
Meltdown only affects devices that have Intel, Apple or Arm Cortex A75-based processors.
However, given how widely Intel chips are used in PCs and servers there are still a lot of machines affected, particularly since Meltdown affects Intel chips going back decades, with potentially all out-of-order execution Intel processors since 1995, except Itanium and pre-2013 Atoms, being vulnerable.
Apple has also indicated that all iPhones, iPads and modern Mac devices are affected by Meltdown.
- In security update, Apple backports Meltdown fix to older macOS versions (ZDNet)
- Fresh Meltdown-Spectre warning as factory systems hit by post-patch glitches (TechRepublic)
- Meltdown-Spectre patch: Watch out for random reboots warns Intel (TechRepublic)
- Meltdown and Spectre patches now available for Oracle systems (TechRepublic)
- Microsoft says older Windows versions will face greatest performance hits after Meltdown, Spectre patches (ZDNet)
- Spectre and Meltdown: Details you need on those big chip flaws (CNET)
How do Spectre and Meltdown work?
To understand Spectre, you need to grasp the basics of how modern computer processors work.
Modern processors accelerate the rate at which they execute instructions by loading data into the processor's on-board cache memory ahead of when it's needed. Data can be retrieved from this on-board cache far more rapidly than from the computer's main memory.
SEE: Incident response policy (Tech Pro Research)
If a processor is executing a set of instructions that branches depending on the input, then processors will try to guess which branch of instructions is most likely to be executed and load the necessary data into the processor's cache. These processes, called Branch Prediction and Speculative Execution, are what can be exploited by Spectre attacks. The attacker manipulates the processor so it loads a value from protected memory into the cache. They then follow up by attempting to load known data from unprotected memory. If one piece of this known data loads far more rapidly than the others, then they can infer that this data is being retrieved from the cache, and therefore is related to the value stored in protected memory.
Meltdown works slightly differently, taking advantage of a privilege escalation flaw that allows any user able to execute code on the system to access protected memory. This has the effect of neutralizing security models based on address space isolation and paravirtualized software containers.
There are two variants of Spectre attacks, variant 1 known as Bounds Check Bypass, referenced by CVE-2017-5753, and variant 2, known as Branch Target Injection, and referenced by CVE-2017-5715. The Meltdown vulnerability, known as Rogue Data Cache Load, is referenced by CVE-2017-5754.
As of February 2018, security researchers have discovered more than 130 variants of malware designed to exploit either the Spectre or Meltdown flaws, however most were proof-of-concept code rather than being used in actual attacks.
- Windows Meltdown patch: No more security updates for your PC if your AV isn't compatible (TechRepublic)
- Spectre and Meltdown flaws being exploited by more than 100 strains of malware (TechRepublic)
- How the Meltdown and Spectre chip flaws will impact cloud computing (TechRepublic)
- Critical flaws revealed to affect most Intel chips since 1995 (ZDNet)
- Bad news: A Spectre-like flaw will probably happen again (CNET)
How can I protect against Spectre and Meltdown?
Patches against Meltdown and variant 1 Spectre attacks are being issued by operating system and virtual machine vendors, with patches rolled out on major operating systems such as Windows and macOS, and automatically applied to most systems.
The Linux kernel has also been patched to help mitigate against Meltdown and Spectre-related attacks, with TechRepublic contributing writer Jack Wallen producing a comprehensive guide on how to check if your Linux-based machine is protected, here.
Fixes for the variant 2 of the Spectre attacks require a computer firmware update, which are being issued by chip manufacturers and designers such as Intel and Arm, and sometimes also an operating system kernel update.
Major cloud providers, AWS, Google and Microsoft have updated their systems with the latest updates for Spectre and Microsoft, while virtualization provider VMware has issued patches against both variants of the Spectre attacks.
You can find a comprehensive list of affected computer hardware and software, and the patches issued by vendors, here.
Meltdown is easier to patch against than Spectre, due to Spectre-related attacks exploiting a fundamental design choice in modern processors. Because of the difficulty in addressing Spectre, the patches generally mitigate the risk from attacks, rather than blocking them altogether.
The creator of the Linux kernel, Linus Torvalds, has been particularly critical of how Intel is choosing to patch systems against Spectre variant 2, describing the updates as garbage, due to operating system makers having to add code that opts-in to enabling Spectre mitigation.
- Why Meltdown and Spectre help make the case for event logging (TechRepublic)
- Spectre and Meltdown: Linux creator Linus Torvalds criticises Intel's 'garbage' patches (ZDNet)
- Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch (ZDNet)
SEE: How confident are you in your company's cybersecurity strategy? Take this quick survey and tell us. (Tech Pro Research)
How will installing patches against Spectre and Meltdown affect my computer?
While tech firms have been preparing updates to mitigate the Spectre and Meltdown flaws for months, details of the vulnerabilities leaked out early.
In the rush to issue patches there have been multiple instances of Spectre- and Meltdown-related updates causing problems of their own.
Intel told computer manufacturers to temporarily stop rolling out its firmware fix for Spectre variant 2 after reports of unexpected reboots on systems that had applied the fix. The problems were originally thought to only be affecting systems running on older Intel Broadwell and Haswell-era chips, however Intel later revealed that computers using newer processors were also suffering from instability after applying the update.
Microsoft warned that Windows PCs won't receive any further security updates until third-party AV software is verified as compatible with Windows patches for Spectre and Meltdown, although this issue has now mostly been resolved.
SEE: Securing Linux policy (Tech Pro Research)
And chipmaker AMD worked with Microsoft to resolve problems after the patches caused PCs running on some older AMD Opteron, Athlon and AMD Turion X2 Ultra processors to refuse to boot.
The nature of the Spectre variant 2 flaw means that fixes to guard against attacks also have the effect of slowing down computers in certain circumstances. A Microsoft analysis of which systems are likely to be worst affected by applying the Spectre fix found the following:
- Most users running Windows 8 and Windows 7 PCs on 2015-era Intel Haswell or older CPUs will notice a decrease in system performance.
- Some users running Windows 10 PCs on 2015-era Intel Haswell or older CPUs will notice a decrease in system performance, with "more significant slowdowns" than on newer chips.
- Most users running Windows 10 PCs on 2016-era Intel Skylake, Kaby Lake or newer CPUs won't notice a change, due to only "millisecond differences" in operations.
Intel found the same Spectre-related firmware updates can also cause a significant decrease in server performance.
However, the extent of the slowdown was heavily dependent on the nature of the workload and the configuration of the system, with some jobs barely affected and others taking noticeably longer.
Intel tested server platforms running two-socket Intel Xeon Scalable systems based on its Skylake microarchitecture.
The worst affected workloads were those "that incorporate a larger number of user/kernel privilege changes and spend a significant amount of time in privileged mode", according to Intel.
The results found that:
- Benchmarks to simulate common enterprise and cloud workloads saw up to two percent performance impact. Intel simulated these workloads using industry-standard measures of integer and floating point throughput, Linpack, STREAM, server-side Java and energy efficiency benchmarks.
- An online transaction processing (OLTP) benchmark simulating modeling a brokerage firm's customer-broker-stock exchange showed a four percent impact.
- Storage benchmarks varied widely.
- In FlexibleIO, a benchmark simulating different types of I/O loads, stressing the CPU with an 100 percent write led to an 18 percent decrease in throughput performance. However, a 70/30 percent read/write model saw a 2 percent decrease in throughput performance, with no throughput impact for 100 percent read.
- There was also a wide range of impacts when Intel ran Storage Performance Development Kit (SPDK) tests, which provide a set of tools and libraries for writing high-performance, scalable, user-mode storage applications. Using SPDK iSCSI, Intel found as much as a 25 percent impact while using only a single core. However, using SPDK vHost had no impact.
The potential performance impact on servers is such that Microsoft recommends users "evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment".
Google has produced its own Retpoline update to guard against Spectre branch target injection exploits, which Intel has said "could yield less impact".
Major cloud providers, AWS, Google and Microsoft say that, for the majority of workloads, customers should not notice a difference in performance following the updates. However, there have been reports from some customers of a drop off. AWS customer Epic Games attributed a more than 20 percent spike in CPU load on a cloud server hosting games of Fortnite to the impact of the Spectre and Meltdown patches.
Virtualization vendor VMware has also warned that the resulting increase in CPU utilization after applying fixes for Spectre could result in organizations discovering they need to increase the size of clusters of virtual machines where previously they had sufficient capacity.
- Windows Meltdown patch: Find out if your PC is compatible (TechRepublic)
- Emergency Windows Meltdown patch may be incompatible with your PC (TechRepublic)
- Massive Intel CPU flaw: Understanding the technical details of Meltdown and Spectre (TechRepublic)
- Spectre of unpredictable chips makes Intel recommend halt of its patchy patch (ZDNet)
Will buying a new processor help?
Yes, to an extent, the performance of newer processors appear to suffer less after applying patches against the security flaws.
However, the fact that Spectre exploits a fundamental aspect of modern processor design, one that has delivered significant performance benefits, means that chipmakers can only do so much when designing new processors.
Rewriting the fundamental architecture of modern CPUs will not be a fast process, and in the meantime it will likely mean continuing to use processors that either have some degree of insecurity or perform significantly worse when it comes to certain tasks.
Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.