What Regular People Need to Know About the Newest Computer Vulnerabilities…Meltdown & Spectre

Posted on January 8, 2018 by vsajewel

Above Image Credit: The Internet Society

2017 Was an Unprecedented Year for Data Vulnerabilities

Dark Reading, a widely-read cyber security news site wrote in the 3rd quarter of 2017 that “2017 has broken the record for security vulnerabilities.” That was even before the year was completed. In another more recent article, Trend Micro listed all of the major exploits which occurred in 2017. Of those Cloudbleed and the Krack Attack seemed to garner the most widespread publicity in the category of security flaws, whereas the WannaCry and NotPetya attacks made one specific category of virus known as ‘ransomware‘ a household word.

Cloudbleed, in February of last year, was significant because it was identified early on as potentially being as extensive as 2014’s Heart Bleed. But the main company involved, Cloud Flare, responded in an exemplary manner with almost immediate intervention and patching. Their quick actions kept Cloudbleed in check.

Krack Attack, which occurred much more recently in November, was also very successfully mitigated because major hardware vendors like Microsoft and Apple came out with hardware specific patches very early in the process too.

Krack Attack was unique for most of us because it was the first time we learned about how major vulnerabilities followed a specific protocol in terms of how and when they are first announced to the public. We learned that oftentimes serious vulnerabilities are only publicly announced after any vendors which are impacted have been notified first, and given the opportunity to develop solutions prior to the vulnerability’s first public announcement.

One could only hope that in 2017 we’d seen the worst of it.

Sadly, 2018 has barely begun, and already the 2 biggest vulnerabilities ever discovered to date were just announced a few days ago.

Meltdown and Spectre

What are Meltdown and Spectre?

Meltdown and Spectre are 2 new massively extensive vulnerabilities that were first leaked to the press around January 3, 2018. The reason they are so massive is because these 2 security risks impact virtually every kind of computing device being used today. Everything from small IoT devices, to cellphones and tablets, on up to computers and very large servers are vulnerable. It’s not just a matter of if they are vulnerable either….because they all are vulnerable…without a doubt. Essentially anything that has an operating system and can access the Internet is affected by these 2 new vulnerabilities.

How Could A Vulnerability Be So Extensive?

The names given to these 2 security flaws provide just an inkling of the devastation they could entail. That these are the most significant set of vulnerabilities discovered to date is without question. Wired describes the public’s reaction as ‘a critical mass of confusion’ resulting in pandemonium.

One aspect that has an even more confounding impact is the fact that these vulnerabilities have actually been in existence for about 20 years.

Some have likened them to very old skeletons in the architectural closets of systems’ frameworks.

Simply understanding what the exact risks are is challenging. Multiply that by 2 and it gets more confusing still. A quick description is that the most highly protected data that’s managed by devices, things like passwords and encrypted data, has been found to have previously unrecognized avenues of unauthorized accessibility. That means that unauthorized users could gain ready access to the data you guard most closely. This recent TechCrunch article does the best job I’ve found explaining what these vulnerabilities are and what they mean to everyday users like you and me.

Graz University of Technology based in Australia, was instrumental in detecting the Meltdown security vulnerability. They’ve published an informative website which provides users with lots of great information about both flaws.

After reading TechCrunch’s article you should have a fairly good appreciation for the extent and seriousness of the problem. One thing to note is that it was the press, a UK publication, the Register, who revealed these vulnerabilities to us long before they should have or would have, had the protocol we learned about during the Krack Attack been in effect.

IMG_3736

Another really interesting aspect of both security flaws is how they were discovered. Both flaws have existed for a very long time…since the early 1990’s generally. But 4 separate discoveries of them were made almost simultaneously, in the few months leading up to this public announcement. Wired wrote a fascinating retrospective on how this happened yesterday (Sunday 1/7/18) entitled ‘Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw at the Same Time.’

Was this earlier than planned announcement good or bad?

Probably a little bit of both. It’s good that we know about it asap…but bad that many hardware vendors haven’t yet had an opportunity to write and release their patches.

What can users do now?

Since every kind of hardware is affected, and hardware patches will be the only true fix, you can only wait for your hardware vendor to supply the patches and then make sure to install them. The TechCrunch article also notes that some of these patches will, more than likely, have some unforeseen negative consequences for users. Hardware processing speeds will more than likely decrease and other software incompatibilities may arise as a result of the patches.

But even those negatives don’t warrant not installing the patches when they are available. And as you’ll see below, Intel believes that their patches won’t have any negative speed implications for users. The fact that patches can even be used to address the situation is a huge plus since it was believed by many industry experts when the news first broke that nothing short of complete replacement of all offending hardware would mitigate the problem!

If you’re an Apple user, an Ars Technica article that was just published today states that Apple has already released patches. ios 11.2.2 and macOS High Sierra 10.13.2 both include patches for both security problems.

Is there anything else users can do right now?

Perhaps the best advice I can give you is to be proactive when it comes to safeguarding your personal data. Use password managers and consider protecting all of your devices with firewalls. And always make sure you keep your operating systems as up to date as possible.

Find Out More Information About Your Specific Hardware

Gizmodo has put together a really helpful website which gives more information about the status of patches for various types of hardware. It appears that they are updating this site whenever new information becomes available. Consider the Gizmodo site as the best  ‘one stop shop’ if you’re inclined to only want to check out one additional source of information.

IMG_3737

Learn More About What Firewalls Are and How They Can Help You

If there can be any good aspects of these 2 new vulnerabilities one may be that it doesn’t appear they can be leveraged remotely. But that isn’t set in stone nor does it mean that remote threats can be discounted. Probably the most significant threats to average users come from remote sources.

The good news here is that there is something you can use to arm yourself with significantly greater protection. That extra protection can come from hardware Firewalls.

Firewalls, which are designed to keep intruders away from every single type of Internet capable device in your home, might possibly be the best way to protect yourself and your family’s personal data from remote intervention. So, while in this instance, Firewalls won’t really help you out…they certainly won’t hurt anything. Yet in the vast majority of circumstances which threaten homeowners…Firewalls can go a very long way towards providing protection which is light years beyond what most users have currently.

Even better though is the fact that these types of devices are just making their entrance into the home market. Previously, hardware firewalls would have been cost prohibitive for homeowners. But several vendors recently began introducing models which are specifically designed for home use…and they’re priced very reasonably too! We’re talking a few hundred dollars here instead of thousands of dollars…which was the case even a year ago!

I’ve been working on a series of articles which introduces Firewalls to new users. But I still have several parts I need to write. So far, I’ve only written the first 2 parts, which are:

Part 1 | What Hackers Don’t Want You to Know About Firewalls

Part 2 | Beginner’s Guide to Firewalls for Small Networks | Network Design

New Information Shows That Intel & Much of The Related Computing Industry Learned About Both Vulnerabilities in June 2017

The earliest consequences have just begun filtering in over the last few days. On Friday (1/5/2018) Ars Technica reported that 3 class action law suits have been filed against Intel. Because Intel provides more CPU chips than any other processor vendor in the for desktops and laptops. Apparently Intel was first notified about these vulnerabilities in June of 2017. According to Intel, they’ve already begun releasing patches and dire performance predictions are very overblown. They don’t anticipate that most users will even notice performance decreases at all.

However, the fact that Intel’s CEO, Brian Krzanich, sold millions of dollars worth of Intel stock upon learning about the vulnerabilities has many speculating about the deeper, more nefarious intentions of Intel.

IMG_3735

In what is perhaps the most enlightening article I’ve read regarding timing of these vulnerabilities discoveries, Bloomberg Technology’s new article pictured above ‘It Can’t Be True…‘ lays out, in great detail, what was discovered by who, when, and when it was communicated to Intel and the larger computing hardware industry. I was surprised to discover that both vulnerabilities were discovered last June, and both were reported to Intel within days of their discovery.

Final Note

Slashdot.org is reporting that some of Microsoft’s Meltdown and Spectre patches are bricking some AMD PCs.

Using the combined resources of the above Bloomberg article and Wired’s ‘How So Many Researchers Made the Same Discovery‘ article mentioned earlier, we now know that Google has already patched most everything they need to because it was a young Google security employee who was one of the first to discover both flaws and inform Intel about them. It’s also now evident that many more patches have already been released and have been in operation for quite some time. However, an equally large and important sector of the industry was kept in the dark until the Register made their public disclosure on January 2nd. Their actions in fact led Intel to make a their own public disclosure on January 3rd.

Given the newness of the information to such large sectors of the population this will undoubtedly mean there will be more patches released that will have unintended consequences like Microsoft’s. What’s more troubling still is that it appears to many as if these 2 discoveries may just be the ‘tip of the iceberg.’ It seems to worry a significant number of industry experts that more flaws may be forthcoming. That fact coupled with the disclosure that the NSA doesn’t always see fit to disclose security flaws that they uncover, but rather chooses to exploit them first for their own gain, casts a distinct cloud of darkness over what the future may hold for the larger data and cyber security world.

Comments

Please feel free to leave me and my readers any comments by scrolling further down the page until you see the small Comments box.

About vsajewel

Hi...I'm the author of 2 main blogs on WordPress...vsatips...where I write tech tips for mobile devices...primarily ios...2nd is vsatrends...where I write less about tech things and more about everything else. I also host a YouTube channel which I use to better illustrate some of the 'how to's' in my posts. I love everything about technology. Currently, my main interests/platforms are ios, Windows and Amazon Echo. Recently I decided we were spending way too much money with our local cable provider. So I decided to cut the cord. There is a definite learning curve, especially the antennae part, but we successfully did that and are now saving a boatload of money, so I write some about that. I also am extremely conscientious about security because of an event my family endured , so I write a lot about that too. Two sub-categories of security I tend to focus on are the password manager Dashlane and Hardware Firewalls. Last, I take a lot of notes and have been a beta tester for Evernote for many years. I love Evernote! In recent years Apple has beefed up Apple Notes a lot...so it’s become a fairly serious note contender...as long as its OK if you lose or mess up all your Apple note data. I write about those 2 note platforms primarily.
This entry was posted in Computer & network security, Digital security, Firewalls and tagged , , , , , , . Bookmark the permalink.

Please leave any comments or questions here and thanks for visiting!

This site uses Akismet to reduce spam. Learn how your comment data is processed.