Meltdown and Spectre – The big CPU cyber security scare

skull-and-crossbones-meltdownWhat’s the easiest way to tell if a tech security issue is really worth worrying about?

We reckon there’s a relatively simple rule to follow when answering this question – it’s when the technology industry and authorities alike openly begin referring to a bug or vulnerability using a distinctly ominous sounding name.

Using this approach we can say beyond any doubt that the news today has delivered something of a ‘double whammy’ on the information security front with many major outlets, including the BBC, reporting the emergence of Meltdown and Spectre.

Now, if they aren’t labels to strike fear in to the heart of tech consumers everywhere then we don’t know what are! (That, or it’s a hotly tipped new duo about to drop the hottest grime track of 2018. You decide. – Ed.)

Are these new vulnerabilities really as scary as they sound though? 

Well, it’s often easy just to write off the latest technology fear as yet another scare story which never actually results in the nightmarish outcomes predicted by doomsayers in the media. This has been the case amongst the public ever since the Millennium Bug failed to bring civilisation crashing down, leaving us all with large stocks of tinned food and a distinct feeling that the experts didn’t really know what they were talking about.

spectre-ghost-in-machineIn an era now where shunning expert opinion seems to have become the norm though, we really do think the Meltdown and Spectre vulnerabilities warrant being taken seriously. The consequences of not doing so could be truly disastrous.

The main reason for this is the potential reach of the combined security vulnerabilities with Meltdown and Spectre affecting the global leaders in CPU computer chip production. Meltdown affects almost every desktop machine, laptop computer or cloud server using an Intel CPU, while the threat of Spectre could be even more widespread with smartphones, tablets and computers using CPUs produced by Intel, ARM and AMD potentially affected.

In short, just about everybody is likely to be at risk from one or the other (or both).

Meltdownattack.com neatly summarises the vulnerabilities when it says:

“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

Spectre ring

Spectre – Not this one but just as scary.

There is therefore no limit to the type of data at risk on a machine when infected by a malicious application developed to target either the Meltdown or Spectre vulnerabilities. Highly sensitive data and credentials (passwords etc.) are potentially sitting ducks to cyber criminals if they are able to capitalise on the security flaws.

The good news is that the various technology giants supplying major operating systems globally will have been the first (non-malevolent actors at least) to have uncovered and been informed on the vulnerabilities, likely many months before the public became aware.

This means there has been time for security updates and patches to be developed and Microsoft, Apple, Linux and Google (Android OS) have confirmed they have already issued or will soon be issuing wide-ranging fixes. Despite this, it is also worth mentioning that when it comes to Microsoft Windows, the World’s most used operating system, that anyone using an OS older than Windows 10 will remain vulnerable as patches will not be issued for these.

There has been speculation amongst some tech insiders that the updates required to patch the holes that Meltdown and Spectre leverage will affect CPU performance – it’s even been suggested the discovery of these vulnerabilities will force a fundamental rethink on how CPUs are designed and made – although this is as yet unconfirmed.

The reality is though that nothing should be placed above the importance of data security in the here and now. So, if there’s one thing you take from this article let it be this (and excuse the shouty bold capitals but we think it warrants it):

ADMINS AND USERS ALIKE, APPLY YOUR SECURITY PATCHES. IF THEY’RE MADE AVAILABLE IT’S FOR A REASON. DO NOT PUT IT OFF. 

Oh, and one last thing – don’t have nightmares now readers.

For all the latest on developing cyber security stories and the news from DCS be sure to sign up to our mailing list in order to receive our monthly newsletter.

Related Posts
dcs Investing in Client Care

At dcs we’ve always been serious about the service we deliver to our valued client base and ensuring that they achieve the absolute maximum possible with the business solutions that we provide. It is this core mission that has seen the recent addition to the dcs team of a dedicated client care representative in the shape...

Read More...
Sage 200 – Your business’s competitive edge

The 2016 summer of sport has unfortunately come to an end but what a few months it’s been as Rio de Janeiro put on the greatest show on Earth when the Olympics and Paralympics came to town. The World’s top athletes convened in the Brazilian city to compete at the pinnacle of their sport and...

Read More...
The SAP B1 Cloud is growing, just like your business

For the vast majority of small and medium businesses (SMBs) the issue of how to achieve growth targets is, for very good reason, right at the top of their agenda. In order to grow these businesses must be competitive, and to remain competitive it is most often the case that they have to keep growing – the two...

Read More...



Subscribe to the DCS Solutions Newsletter

Join our mailing list to receive the latest news, views and updates from our team.

You have Successfully Subscribed!