Spectre, Meltdown, Vulnerabilities in the news

You may have seen a lot of scary news stories about some vulnerabilities recently disclosed that affect just about every computing device imaginable [depending on where you get your news].

Here is a short non-technical common-sense rundown of what this is all about.

What is Spectre and Meltdown?

Basically they are newly-disclosed ways for a crafty hacker to access supposedly secret info on your device.

As CNET.com puts it:

….. the issue doesn’t result from a badly written computer code. Instead, the problem comes down to the way the chips are intentionally designed.

Processors are supposed to make the secret information easier to access as they gear up to run the next process on a computer. As the programming quip goes, this is a feature, not a bug.

Why are they called Spectre and Meltdown?

Because people like to come up with cool names for these things. It’s more interesting to call it “Spectre” than “Security Bulletin #598267”.

Am I in danger?

Immediately, no. It’s not like someone could just randomly swipe information from your device by driving by your house. A hacker would need to be fairly technically minded AND install some code on your machine.

Of course, now that “everyone” knows about it, somebody somewhere is going to try to use this information.

As Meraki.com put it:

These vulnerabilities could allow an unprivileged attacker with direct access to a computing device, in specific circumstances, to read privileged memory belonging to other processes or memory allocated to the operating system kernel.

Notice the phrases “COULD allow”,  “with direct access to a computing device” and “in specific circumstances”. That means it would take a concerted effort to compromise your machine.

Should I panic?

Absolutely not….. not about THIS, anyway. If you would LIKE to panic about something else, be our guest.

What should I do?

Two primary things you can do, BOTH of which you should already be doing:

1) UPDATE YOUR SYSTEM and SOFTWARE. If you’ve been ignoring those system update, then get it updated NOW. OK, if you MUST get some work done, start the updates as you finish for the day, and let them run all night.

Yes, it could take that long, depending on how long you’ve been putting them off!

Especially on WIndows, MDS TEch recommends checking for updates again

2) USE COMMON SENSE ONLINE. Don’t just click anything you come across – double-eyeball it to make sure it’s actually legit. If an email comes in from someone you trust, but the contents don’t match the person – triple-check it before clicking on anything.

Will the updates slow down my machine?

Technically, yes. The big question is “will you notice a difference”? Intel has stated that most users – doing average computing stuff – won’t notice a difference.

MDS Tech’s take on this is that you MIGHT notice your machine slows down a bit – if your machine is more than 3 years old.

MIGHT.

Will the updates break my computer?

There have been a few instances where the updates that were hurredly rushed out caused some machines with certain AMD processes to quit working., or SOME software quit working. We’ve seen some articles stating that it depends on the exact processor, what antivirus you are using, and presumably what phase the moon is in when you apply the update.

Stated another way, there doesn’t seem to be an EXACT set of causes of the problem.

Where else can I learn more?

  1. Meraki.com
  2. Security Week –> Apple updates
  3. cnet.com
  4. theGuardian.com
  5. arstechnica.com – if you you’d like some deeply technical info about the various companies’ responses.

Why do people try to break into machines anyway?

Sonicwall has an interesting article on the Hacker’s motivation.