Why Spectre vulnerability is and isn’t so scary

Why Spectre vulnerability is and isn’t so scary

Late in 2017, several groups of researchers from Graz University of Technology in Austria to Google’s labs, discovered a pair of exploits subsequently dubbed “Meltdown” and “Spectre” that have the cyber security community all abuzz. What makes these exploits so scary is the fact that they allow access to the most sensitive information on almost all the active computers in the world.

Modern computer and smartphone processors are supposed to isolate user processes from their ‘kernel’ or core memory. These exploits allow access, through a flaw in computer chips, to this most sensitive information such as passwords, photos, and browsing history, on desktops, laptops, cloud servers, and smartphones – without leaving a trace.

Surprisingly, this flaw was introduced into Intel chips back in the 1990s and had never been discovered until now. Another interesting aspect of this discovery is that disparate groups of researchers found the flaw at the same time – without cooperation. One researcher from Graz admits, “it's not clear” what leads the world's best security researchers to make near-simultaneous discoveries, but it’s not the first time it’s happened.

The vulnerability comes from a clever aspect of modern processors that allows them to work faster and more efficiently. They have the ability to predict the likely outcome of processes and rather than staying idle, begin work based on these predictions. Later, they will check to see if their predictions were correct and then execute the pre-visioned command, or correct themselves in the event that their predictions were wrong. This allows for much more efficient processors. However, the new exploits take advantage of this out of order processing to quietly siphon user information into a secret untraceable cache.

Meltdown and Spectre can affect all operating systems including Windows, Linux, iOS, and Android, as almost all processors have been operating this way since the mid-90s. However, before you panic, you should know that there are no known criminal uses of this vulnerability, and it is considered by cyber experts as a difficult vulnerability to exploit. Most experts agree that it is a ‘high-impact, low-probability-of-attack’ situation. This will of course change as information about the weaknesses spreads.

Users are encouraged to turn on ‘auto-update’ on their machine’s end point systems or install updates with fixes as soon as they are available publicly.

Intel and other chip manufacturers are the main targets and have issued statements saying that they will release fixes shortly. On the other hand, Linus Torvalds, inventor of Linux, recently assessed Intel’s fixes as “garbage”. While experts may not agree yet on the fix, it is clear that “Spectre” and “Meltdown” are yet to morph into the terrifying attacks their names suggest. Stay tuned to your favorite tech media outlet for more on how to protect your devices.