New bad guys in the town– Spectre and Meltdown.
At the end of 2017 two new bugs entered in the market which shook the entire technology world. The Giants software and hardware design companies instantly came into action to provide some workaround to prevent the systems from attacks. Spectre and Meltdown are two different vulnerabilities which coincidently discovered back to back within few days. There has been a lot of
buzz about these two terms. We know they are dangerous, so it is better to know them!
Meltdown is a novel attack that allows overcoming memory isolation completely by providing a simple way for any user process to read the entire kernel memory of the machine it executes on, including all physical memory mapped in the kernel region. Meltdown does not exploit any software vulnerability, i.e., it works on all major operating systems. The vulnerabilities, Meltdown and Spectre, can allow passwords and other sensitive data on chips to be read. The flaws result from the way computers try to guess what users are likely to do next, a process called speculative execution.
Speculative execution is a process which involves a chip attempting to predict the future in order to work faster. If the chip knows that a program involves multiple logical branches, it will start working out the math for all of those branches before the program even has to decide between them. For example, if the program says, “If P is true, execute function A; if P is false, execute function B”, the chip can start computing both functions A and B in parallel before it even knows whether P is true or false. Once it knows whether P is true or false, it already has a head start on what comes after, which speeds up processing overall.Now because of this speculative execution, process start accessing the data before it is given the permission for it.
Theoretically , it is still secure because the data obtained by speculative execution is protected at hardware level yet it allows the process to see the data before it is permitted hence making the system vulnerable to attacks.Both the vulnerabilities allow attackers to read the sensitive data and not edit it anyway. Global technology giants Google, Microsoft, Linux, Apple have also launched their software patches to minimize the damage. Since the root cause of the problem lies in the method through which systems are made faster,these patches will slow the speed of the system, especially the ones with Intel chips vulnerable to Meltdown. Also, the patches do not always work with other software. For example, a fix for Spectre led to issues turning on some computers with AMD chips, and a Meltdown patch for Microsoft Windows required changes from antivirus makers. Everything comes with a trade-off!
These are 20 years old vulnerabilities. Nobody knows if someone had already found them and kept on exploiting someone’s system all along. The tech world is thankful to the researchers who discovered them and bring them in the light.
Now that it’s all in our knowledge, we hope new chips will eliminate such loopholes and provide our system better security.
Meanwhile, if you’re a businessman running your business online or an app developer or just a user, you can avail these security patches provided
by your vendors to fight back with these vulnerabilities.
With Us, Give your app worries a go by
AppCare – We care for your app!