Meltdown and Spectre – The big CPU cyber security scare

skull-and-crossbones-meltdownWhat’s the easiest way to tell if a tech security issue is really worth worrying about?

We reckon there’s a relatively simple rule to follow when answering this question – it’s when the technology industry and authorities alike openly begin referring to a bug or vulnerability using a distinctly ominous sounding name.

Using this approach we can say beyond any doubt that the news today has delivered something of a ‘double whammy’ on the information security front with many major outlets, including the BBC, reporting the emergence of Meltdown and Spectre.

Now, if they aren’t labels to strike fear in to the heart of tech consumers everywhere then we don’t know what are! (That, or it’s a hotly tipped new duo about to drop the hottest grime track of 2018. You decide. – Ed.)

Are these new vulnerabilities really as scary as they sound though? 

Well, it’s often easy just to write off the latest technology fear as yet another scare story which never actually results in the nightmarish outcomes predicted by doomsayers in the media. This has been the case amongst the public ever since the Millennium Bug failed to bring civilisation crashing down, leaving us all with large stocks of tinned food and a distinct feeling that the experts didn’t really know what they were talking about.

spectre-ghost-in-machineIn an era now where shunning expert opinion seems to have become the norm though, we really do think the Meltdown and Spectre vulnerabilities warrant being taken seriously. The consequences of not doing so could be truly disastrous.

The main reason for this is the potential reach of the combined security vulnerabilities with Meltdown and Spectre affecting the global leaders in CPU computer chip production. Meltdown affects almost every desktop machine, laptop computer or cloud server using an Intel CPU, while the threat of Spectre could be even more widespread with smartphones, tablets and computers using CPUs produced by Intel, ARM and AMD potentially affected.

In short, just about everybody is likely to be at risk from one or the other (or both). neatly summarises the vulnerabilities when it says:

“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

Spectre ring

Spectre – Not this one but just as scary.

There is therefore no limit to the type of data at risk on a machine when infected by a malicious application developed to target either the Meltdown or Spectre vulnerabilities. Highly sensitive data and credentials (passwords etc.) are potentially sitting ducks to cyber criminals if they are able to capitalise on the security flaws.

The good news is that the various technology giants supplying major operating systems globally will have been the first (non-malevolent actors at least) to have uncovered and been informed on the vulnerabilities, likely many months before the public became aware.

This means there has been time for security updates and patches to be developed and Microsoft, Apple, Linux and Google (Android OS) have confirmed they have already issued or will soon be issuing wide-ranging fixes. Despite this, it is also worth mentioning that when it comes to Microsoft Windows, the World’s most used operating system, that anyone using an OS older than Windows 10 will remain vulnerable as patches will not be issued for these.

There has been speculation amongst some tech insiders that the updates required to patch the holes that Meltdown and Spectre leverage will affect CPU performance – it’s even been suggested the discovery of these vulnerabilities will force a fundamental rethink on how CPUs are designed and made – although this is as yet unconfirmed.

The reality is though that nothing should be placed above the importance of data security in the here and now. So, if there’s one thing you take from this article let it be this (and excuse the shouty bold capitals but we think it warrants it):


Oh, and one last thing – don’t have nightmares now readers.

For all the latest on developing cyber security stories and the news from DCS be sure to sign up to our mailing list in order to receive our monthly newsletter.

Related Posts
Sage 200 – Are you running behind?

Your business software, probably more than any other critical tool within your organisation, is the system that changes and evolves most rapidly in order to provide increased functionality and a better platform for efficient operations. However, accessing the benefits of the latest versions of powerful software solutions like Sage 200 relies on a proactive approach...

Document Storage and Retrieval Solutions

Modernisation doesn’t necessarily mean overhauling all of your current systems and processes, in a bid to replace them with shiny new ones. Sometimes it can be something as simple as connecting add-ons to your existing software. Document storage and retrieval is something that many organisations still do the old-fashioned way… scan in their document/s one...

Don’t close your eyes. It’s time to be aware. Know the threats.

In recent weeks I have spoken with clients and prospective clients who have been subjected to attack by cyber criminals.  Cyber-attacks on SMEs are becoming more common and more sophisticated.  In some cases, the attacks were successful and there was resulting business interruption from system downtime and data-loss from ransomware encrypting critical business files. A...