Spectre and Meltdown

You may have heard of Spectre and Meltdown, two security vulnerabilities that exist in virtually every CPU ever made by the chip giants Intel, AMD, and ARM. Either vulnerability can expose your system to “arbitrary code execution,” the geeky way to say, “A hacker could take complete control of your computer” and run any malware he wants on it. Read on to find out more, and if your computer is vulnerable to these attacks…

The Specter of a Meltdown?

Hacker in a hood on dark blue digital background

The Spectre flaw enables one compromised program, such as a web browser, to compromise another program running on the same machine, such as Microsoft Word. If a hacker can penetrate your browser via the Internet, he can leapfrog from there across every program running on the system.

The Meltdown flaw allows hackers to gain access to a portion of a computer’s memory that should be off-limits to all software except the operating system. And Meltdown doesn’t care if you run Windows, Linux, or Mac OS X. Any of those systems may be vulnerable.

As Meltdown’s name suggests, truly bad things can happen when a rogue program gains access to that portions of memory that should only be accessible by the operating system.. You may have seen the dreaded Blue Screen Of Death (BSOD) where Windows displays the cryptic “fatal memory fault at address…” Boom! Crash! But what’s the point of crashing some stranger’s computer? “Some people’s children” just do it for the “lols,” that is, for laughs. Global superpowers may do it in the name of “national security,” their intelligence agencies spending unlimited money to develop nuclear-grade malware… which, as we now know, “spook shops” like the NSA have allowed to escape into the hands of the “children.”

Worse, Meltdown enables an attacker to access all memory, including areas where your personal information is stored while you are working with it. There lies the profit motive that drives the most widespread attacks. The mercenary “adults” can use Meltdown to make millions.

The titans of tech including chip makers, Microsoft, Apple, and the Linux community, have scrambled to issue hardware and software patches for Spectre and Meltdown. All hands on deck, as they say!

But there is still lingering uncertainty about whether the patches work, or if they do more harm than good.

Ah, fun with words. The software flaw known as “Spectre” is a homophone for “specter.” The former refers to a ghost, phantom, or apparition, and the latter is defined as “a source of terror or dread.” Both can be scary, but only one of them is likely to attack your computer.

As of January 23, Wired! magazine reported that firmware patches issued hastily by Intel, AMD, and ARM to close Meltdown vulnerabilities in their chips “can inadvertently cause serious problems beyond processing slowdowns, including random restarts, and even the blue screen of death.”https://www.wired.com/story/meltdown-spectre-patching-total-train-wreck/ Microsoft went so far as to release a patch that disabled the Intel patch.

On January 22, father-of-Linux Linux Torvalds said, in one of his more diplomatic comments, “the patches are COMPLETE AND UTTER GARBAGE.” Speaking of Intel’s patch crisis managers, he asked rhetorically, “Has anybody talked to them and told them they are f***ing insane?” At least he used an asterisk. (I added two more.)

Since then, there has been thunderous silence from the tech press corps. Does that mean the coast is clear? Is it safe to install firmware updates to your CPU and BIOS, as Intel, AMD, and ARM urge you to do? And how is that done, exactly?

We Need a Gadget Inspector

Before tinkering with the most delicate parts of your system’s delicate “brain,” I recommend that you run the InSpectre (“inspector,” get it?) utility developed by Steve Gibson of Gibson Research Corp. InSpectre “was designed to clarify every system’s current situation so that appropriate measures can be taken to update the system’s hardware and software for maximum security and performance,” according to no less an authority than itself. (Sorry, I couldn’t let that one pass by!)

InSpectre is freeware, less than 200 KB of code, and perfectly safe to run. It will analyze your Windows PC no matter who made its CPU and BIOS, detecting and reporting its vulnerabilities, if any, to Spectre or Meltdown. InSpectre reports its findings in clear, simple terms that even non-geeks can readily understand. (I don’t know of a similar utility for Linux or Mac OS X systems.)

Best of all, its user interface includes two big buttons allowing you to Enable or Disable protection for Meltdown and/or Spectre. If either is greyed out, your system lacks that type of protection. Gibson goes into detail on why you might want to disable either of the protection options, to avoid the performance penalty they may impose. But unless you are noticing a marked decline in speed, I would not recommend doing so.

If InSpectre reports that your PC will remain vulnerable to Spectre or Meltdown until its firmware is updated, then it will be necessary to contact the maker of your PC to download a firmware patch specific to that make/model of PC. A Microsoft Support Page bears a “List of OEM /Server device manufacturers,” including links to their respective Spectre/Meltdown firmware and BIOS update help pages. https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown

The only annoying things about InSpectre are the goofy sound effects, and the display of the results. Looking at InSpectre report is a bit clunky, because the window cannot be resized, and the small font can be hard to read. Position your pointer anywhere within InSpectre’s text window, press Ctrl-A to “select all,” then Ctrl-C to copy the selection, and then Ctrl-V to paste the report into a word processor or text editor. Then you can make the text as big as you like, save the report, or print it.

The best protection against Spectre on the operating system side, as opposed to firmware and BIOS, is Microsoft Windows 10, Fall Creator’s Update, version 1709. Automatic updates are on by default in Windows 10, so you should have v 1709 unless you have deliberately delayed its installation. If you have, go to Windows Update Settings and allow v 1709 to be installed.

Windows 7 users should have auto-updates enabled, too. Run Windows Update and let it install all critical and important updates to protect your system as much as possible via Windows.

It is shocking to learn that nearly everything digital, from desktop PCs to phones and tablets to Internet of Things things, contains a chip that is vulnerable to Spectre or Meltdown. But bear in mind that the world is still not on fire; these vulnerabilities can and are being fixed, if they are not already fixed in your device(s). For now my best advice is “Keep calm and carry on,” auto-updating all of your software.

Have a great week.

Zi Staff