A Plain-English Explanation of the Meltdown and Spectre Vulnerabilities

As though 2017 weren’t bad enough in the world of cybersecurity, the first few days of this year saw the announcement of two severe hardware vulnerabilities affecting almost every computer processor made in the last 20 years.

Making matters worse, the flaws are extremely complex and inherent to the underlying technology that makes modern processors function. That also means they don’t just affect a few specific product lines or brands – they’re almost all-encompassing.

Unlike most vulnerabilities, which affect a specific operating system or program, the Meltdown and Spectre flaws arise from standard features built into computer chips themselves. These features are designed to make the chips run faster, so the only way to patch the vulnerabilities is to turn off the hardware features themselves. To that end, patches have already been released, but not without a significant cost in the performance of certain applications.

So, What Exactly Are Spectre and Meltdown?

Before you can understand how Spectre and Meltdown work and exactly what they exploit, we’ll need to explain a core function of modern processors called speculative execution. Stay with us, we’ll keep it simple.

Speculative execution is a performance optimization technique that has the processor predicting which requests might come next, which enables it to carry out the necessary calculations in advance.

You can compare speculative execution to using your free time to carry out chores you’re pretty sure you’ll need to do later. In much the same way as you’ll want to make the best use of your free time, a microprocessor uses its free time for performing calculations it will likely need later. The result is a significant head start in performance.

Processors store the information they think they’ll need soon in temporary storage. This temporary storage is full of information like passwords and credit cards and was supposedly protected. Spectre and Meltdown represent new methods for accessing this temporary storage without permission.

Hear From Our
Happy Clients

Read Our Reviews

Do You Need to Worry?

For now, Spectre and Meltdown exploits require a lot of technical expertise and cannot be automated. But despite being unlikely targets, SMBs should be aware of the major security vulnerabilities affecting their hardware and operating systems. It is very possible these vulnerabilities could become much easier to deploy.

What makes these flaws so serious, however, is that it’s simply impossible to patch them, as they exist on a hardware level. In other words, they’re inherent design flaws that cannot be patched with a software update.

Fortunately, it’s not all doom and gloom. Although the problems cannot be fixed, it is possible to work around them, and that’s exactly what the patches being released by major manufacturers do. Microsoft, for example, has already released patches for Windows 7 and later, although older operating systems like Windows XP will almost certainly never see a patch.

All mainstream mobile operating systems and browsers have also received patches, although there are some low-cost Android devices that may still be vulnerable if they don’t receive automatic updates from Google. Major cloud providers, such as Amazon, Google and Microsoft have also patched their servers accordingly.

The problem with the workarounds, which you have no choice but to implement for the sake of security, is that they do reduce performance in some applications. While performance reductions were first reported to be around 30%, more recent benchmarks suggest something closer 10%. Furthermore, issues with performance concern only certain workloads and are unlikely to have a discernible effect on most everyday applications.

At Dyrand Systems, it’s our job to make sure technology doesn’t end up being your enemy. That’s why we’re prepared for even the severest of security problems, like those posed by Spectre and Meltdown. Call us todayif you’re ready to start taking back control over your IT with a free security assessment.