Photo by Brian Kostiuk on Unsplash
Confidentiality, Integrity and Availability are the pillars of computer security. These three are the most important aspects of a software and are something that every industry level application has to comply to. All of these aspects have been broken in recent months (the Equifax leaks and the Uber hacks – that exploit confidentiality of users.
A new exploit, called Meltdown and Spectre, has been discovered by researchers that pulls confidentiality and integrity apart and can potentially snoop into your computer’s kernel, the innermost section of your computer.
What are these two vulnerabilities?
Meltdown and Spectre are two vulnerabilities that were recently announced by three Austrian security researchers and which affects almost all the devices on the planet. Researchers say that these vulnerabilities are something that they haven’t encountered in a long time and could take years to be completely fixed since it involves changing how the processor chips are designed.
How they work
Both these vulnerabilities take advantage of a process called Speculative Execution in microprocessor chips. These chips are the heart and brain of a machine and are responsible for making sure the machine (laptop, computer etc) are working how they should be. Speculative Execution prepares instructions that the user might execute in advance by reading their functional patterns over a period of time. In other words, the processor tries to guess the outcome of a future instruction by executing all the possibilities in advance. When the user executes one of these two possible outcomes, the processor throws the other un-executed instructions away.
“The processor basically runs too far ahead, executing instructions that it should not execute,” says Daniel Gruss, one of the researchers from the Graz University of Technology who discovered the attacks.
However, before throwing them out, these instructions are saved in a temporary storage space, called cache, unencrypted. A carefully constructed malicious code could tap into the cache and not only figure out whether the requested data is in the cache or not but also steal information from the inner most privileged part of the processor.
Can I even do anything about it?
Both yes and no. From a design point of view, unfortunately you cannot do anything since this is a vulnerability based on how the chips are manufactured. Several prominent chip manufacturing companies (like Intel, Apple) are involved in currently in developing a permanent fix to this issue.
The good news is that they have already started rolling out patches (temporary fix) for one of the vulnerabilities mentioned above. What you can do is keep your system up to date. This means you need to click “Yes’ on that ‘update Windows now’ question that you have been stalling for a long time. If you have not received any notification from your operating system, go to My Computer (on Windows) and Right click –> Properties. Make sure you have the latest version of Windows on it.
It has been noted that installing patches for this flaw is slowing down the speeds of the machines to some extent. I would still recommend you to update your system as it will be wiser to sacrifice your performance for safety.
This was so valuable!!
Thanks!!