Spectre and Meltdown Computer Security Vulnerabilities Explained

According to CSO’s January 15, 2018 article, “Spectre and Meltdown Explained: What they are, how they work, what’s at risk,” by Josh Fruhlinger:

Spectre and Meltdown are the names given to a trio of variations on a vulnerability that affects nearly every computer chip manufactured in the last 20 years. The flaws are so fundamental and widespread that security researchers are calling them catastrophic. [Emphasis added]

Spectre and Meltdown: What Are These Two Security Vulnerabilities?

 According to CSO, the Spectre and Meltdown security vulnerabilities

 . . . are the names given to different variants of the same fundamental underlying vulnerability that affects nearly every computer chip manufactured in the last 20 years and could, if exploited, allow attackers to get access to data previously considered completely protected. Security researchers discovered the flaws late in 2017 and publicized them in early 2018. Technically, there are three variations on the vulnerability, each given its own CVE number; two of those variants are grouped together as Spectre and the third is dubbed Meltdown. [Emphasis added]

. . .

All of the variants of this underlying vulnerability involve a malicious program gaining access to data that it shouldn’t have the right to see, and do so by exploiting two important techniques used to speed up computer chips, called speculative execution and caching. [Emphasis added]

Spectre and Meltdown Differences & Their Dangers

The CSO article further stated that

. . . Spectre and Meltdown could allow potential attackers to get access to data they shouldn’t have access to . . . but their effects are somewhat different:

  • Meltdown got its name because it “melts” security boundaries normally enforced by hardware. By exploiting Meltdown, an attacker can use a program running on a machine to gain access to data from all over that machine that the program shouldn’t normally be able to see, including data belonging to other programs and data that only administrators should have access to. Meltdown doesn’t require too much knowledge of how the program the attacker hijacks works, but it only works with specific kinds of Intel chips. This is a pretty severe problem but fixes are being rolled out. [Emphasis added]
  • By exploiting the Spectre variants, an attacker can make a program reveal some of its own data that should have been kept secret. It requires more intimate knowledge of the victim program’s inner workings, and doesn’t allow access to other programs’ data, but will also work on just about any computer chip out there. Spectre’s name comes from speculative execution but also derives from the fact that it will be much trickier to stop — while patches are starting to become available, other attacks in the same family will no doubt be discovered. That’s the other reason for the name: Spectre will be haunting us for some time. [Emphasis added]

Regarding the dangers of Spectre and Meltdown, the CSO article stated:

Spectre and Meltdown both open up possibilities for dangerous attacks. For instance, JavaScript code on a website could use Spectre to trick a web browser into revealing user and password information. Attackers could exploit Meltdown to view data owned by other users and even other virtual servers hosted on the same hardware, which is potentially disastrous for cloud computing hosts. [Emphasis added]

But beyond the potential specific attacks themselves lies the fact that the flaws are fundamental to the hardware platforms running beneath the software we use every day. Even code that is formally secure as written turns out to be vulnerable, because the assumptions underlying the security processes built into the code — indeed, built into all of computer programming — have turned out to be false. [Emphasis added]

The CSO article also provides details about speculative execution, caching, protected memory, Spectre and Meltdown patches, as well as when PCs, Macs, iPhones, Androids or browsers will get a patch and information about the impact of Spectre and Meltdown on performance.

Spectre and Meltdown: An Informative Red Hat Video

Red Hat’s YouTube video, “Meltdown and Spectre in 3 Minutes,” by provides a good, basic explanation of the two threats and what is being done about the security vulnerabilities.

Spectre and Meltdown Computer Chips Image

Image: Pixabay, axonite, CC0 1.0 Universal 

Kehoe Law Firm Class Action Investigations

Please click Apple iPhone Slowdown, Apple iPhone Class Action, iPhone Slowdown Lawsuits, Intel Class Action Lawsuits, INTC Chip Processor, and AMD for information about other ongoing class action investigations.

Kehoe Law Firm, P.C.