A Word About Spectre And Meltdown

toggle-button

CPU imageYou'll have seen in the press over the last couple of days that a serious security bug has been discovered which exists in many processors made by Intel and others over the past decade. There are 2 bugs, that have been named Spectre and Meltdown. They're serious, and could potentially allow malicious software to access information on your PC. Although the bug is in the processor itself, its effects can be largely mitigated by a patch to the operating system. If you're worried, don't be. Almost every computer in the world is affected by these bugs, and the chances of you being personally targeted by hackers as a result of it is pretty much non-existent. But here are a couple of recommendations from me.

1. If you're in the market for a new computer or phone but you can afford to wait a while, do so. Intel and others are now starting to manufacture chips that include the fix.

2. If you use Windows 7, 8 or 10, don't panic. Microsoft is issuing patches and these will be rolled out just like any other security update. As always, ensure that automatic updates are enabled on your computer.

3. Keep an eye on your antivirus software and ensure that it is also up to date. The 2 chip bugs affect the way that antivirus software works, and so the AV software companies are rolling out their own updates. Until your AV software has been updated, and has set a special flag on your computer to indicate that it has done so, Windows won't install its own fix for Spectre and Meltdown. So if you have been concerned for some time that your AV software isn't updating properly, now is the time to sort it out.

4. If you use a version of Windows older than 7, then you really need to get up to date. Lots of security problems that were discovered since support for Windows XP ended, including this one, mean that it really isn't safe to continue with XP any more.

And that's really all you need to do.

Please rate this article: 

Your rating: None
4.691175
Average: 4.7 (68 votes)
toggle-button

Comments

I have to wonder if in view of the long history of this same "bug" being installed in the CPU's of so many manufacturers if this isn't a back-door or keyhole that was intentionally installed for security (as in NATIONAL) or counter-intelligence purposes. I'm not a "conspiracy theory" freak, in fact, if this is the case, I'd be very upset that this "bug" is outed and in such a way as to make the CPU makers look bad for doing something to help keep our nation safe.

Could this be a possibility??

Only to the Tin Foil Hat Brigade.

Rev_Don, Yeah, I'm not so worried about Big Brother, or the Big Sisters (AMD, Intel, ect), or even Uncle Google, although I gripe about him some. I would gladly surrender some of my "rights" and privacy to those that work so hard for the security of our Nation. I don't think 911 was a "theory". Yet. Nor do I think it's over. Yet.

According to some tech sources, the flaws were discovered by a hacker hacking his own machine, which implies that direct access is needed, and I have read on a tech site (don't remember which one) that to get infected, a user needs to already have malware running. If those are the cases i (and I have not been able to confirm it yet) then using best security practices should be an effective way to mitigate these vulnerabilities. Another point is that I found no indication that these are Zero-Day vulnerabilities, i.e.,no one has exploited them prior to patches being available.

Every day our computers most likely have vulnerabilities, with patches only available after the vulnerability is finally recognised

The media continue not to deal with the elephant in the room:
**No patch, and no antivirus software, will protect you when hackers find the next vulnerability before the good guys do**

--So.. what everyday computer habits do we need to change once and for all, given that there will be vulnerabilities today we just don’t know about.--
Is the Microsoft Windows operating system doing enough to protect the average computer user from themselves ?

1)Does Microsoft need to implement standard keystroke scrambling software on all Windows versions, so keystrokes cant be analysed easily by malware ?

2)Do we need to stop saving our passwords (bank, work, email) with cookies that are saved on our computer. Cookies may save our time and help avoid typing the same thing, but maybe we need to type out bank passwords each and every time

3)What information does computer memory need to store, and are there ways to quarantine security sensitive information from RAM ?

4)Can Microsoft finally create a separate Windows Security Module, that can be regularly updated, without updates jeopardising the rest of the OS, its hardware and software configurations ?

5)How safe are our Windows logon passwords / screen lock passwords (they are stored on the computer). Can malware ever harvest these, and lock down our computers ransomware style ?

Good article Rob - lots of common sense.

The world's press is having a ball with this as they always do when some bug or insecurity is found. I have seen articles where they say the fix will reduce your computer's speed by 30% and others by 1.5%.

I have looked at the problem, it would require some extremely clever code to get at and make use of the design fault, probably take much longer to create an effective virus than to produce the fix.

Just keep updating your anti-virus and operating system. If you are worried stay off 'dirty' sites.

Roger

According to security experts who have studied the problem, at least one of the vulnerabilities can be triggered by a maliciously-coded page.

Also, the "up to 30%" performance hit varies depending on workload.

I would expect serious gaming machines to take a pretty good hit, if that's true.

Home users, including Gamers and serious gaming machines won't see any appreciable performance hit. 99.9% of games will see no more than a 1 or 2% hit, if that much. Some games actually slightly perform better with the patch. It's server type workloads that see the big hits. That's been proven by a number of different trusted sources. Most testers say the difference is within the margin of error.

Your reassurance is not reassuring Rev_Don.
Intels list of affected processors is long, and a lot of older computers may well take a performance hit

I predict its is too early to be offering reassurances
There is a wide range of computer processors that are affected, and many computer users have older computers with older processors

The tests I've seen so far go back as far as 1st gen Core i series. I don't know very many Serious Gamers using anything older than 2nd gen Core i series. The C2Ds and C2Qs I've tested are on the edge of margin of error as well. Anyone using anything older than that aren't going to be doing anything that cpu intensive to notice the difference.

And a lot of the people who claim to have noticed the so called 30% performance hit on a home system are using flawed techniques. A lot are doing a single run instead of averaging multiple runs. They are also making the post patch run immediately after rebooting instead of verifying that all of the patches have finished installing. A lot of systems are getting a Net Framework Security Update and/or AV Update upon reboot after applying the patch. Users who run the tests right after the Patch Update are testing DURING these updates which skews the results.

Now I do agree that there is a lot we don't know yet, but all of this Doom and Gloom that the bug patches will render our processors nearly unusable is just a bunch of FUD. The initial patches might have a SLIGHT noticeable impact on SOME applications on a home computer, but the overwhelming majority of that will be mitigated with further testing, updates, and microcode and bios updates.

Apple and Linux have also released updates.

Great article......thank you!

Good article, thanks Gizmo. For me at least the most interesting reading here are the comments.

There is everything represented that I find generally in dealing with humanity.

From the doomsday prophet that sees his world completely out of any order,
via the complainer (oh see how bad it's gotten - but I am going to lean back and do nothing, better don't update),
via the adequately reacting realist
to the frightened mouse who still is on XP and stays there because this world is oh so dangerous and anything new is oh so frightening.

Truly a panopticon of the world around me. What did I expect?

Yes, humanity also includes processor manufacturers who have been selling a defective product over 10 years,
and not offering a replacement product that works

And humanity includes phone manufacturers being caught with their updates deliberately slowing older Iphones
- this occurred without the permission of owners
- the public were only informed by Apple when they were caught, the policy was instituted more than one year ago
- the updates were documented to slow older model Iphones by up to 50%, often rendering them unusable
- Apple only informed its customers after it was caught
- the manufacturing policy whereby a phone should be disposed of once the battery wears out has been the accepted status quo,
with unestimable impact on the environment
- Apple, only in the last month, provided official phone batteries that were affordable, so finally the environment has been respected

Ah, humanity

With this international precedent, of manufacturer firmware drastically slowing hardware usability, it is no wonder a lot of computer users are a little cynical
- what should really be offered is a replacement fault free computer processor (CPU), when they are finally available, but dont hold your breath

Im not willing to sacrifice my computer to potential unusability, until I have heard the feedback from Windows users who have used the patch
I also wont install a patch, unless I am certain of the method of uninstalling the patch - although I bet uninstallation is difficult with firmware updates

Of course you must be oh so right. What might be even more interesting is what's behind the words, which we have no way of knowing, but concerning which making assumptions, we make asses ... you know the idiom I'm sure.

Boy is that picture of a CPU old! Intel, the processor with the problem hasn't used PGA chips for a decade.

It isn't just Intel. AMD, Qualcomm, and ARM are also vulnerable to at least one of the three bugs. And that Intel processor would be vulnerable to at least one of the 3 as well, and probably 2 of them.

Thanks for the explanation. A good supplement here:
https://krebsonsecurity.com/2018/01/scary-chip-flaws-raise-spectre-of-meltdown/
where you can find a link to a list of AV programs etc that are ready to receive the Windows Update with the patch.

As an older computer user, I am finding that i just dont trust anyone anymore. one day coffee is good for you, the next its a killer. give to this charity, its a scam. give to this go fund me...liars, all of them...use this ap, its a hoax. use this one and it steals from you. So now most of the time its a wait and see for me. trust no one, run sandboxed, make backups, shut off all updates until enough time has gone by to really find out if they actually do what they claim. a sad thing but the internet and scammers have eroded all trust in humanity for me. good luck to all.

Perfectly put! After one of my tablets got completely hosed by the last win10 update, I said the hell with it and disabled automatic updates. Updates break more than they fix imo. I'll take my chances and be careful where I go.

I'm an 80yo
yeah, I agree
this beautiful thing the Internet
what are they doing with it?

We have allowed both the internet and smartphones to compromise our data security, without protest
I was late to the smartphone era, and use TechSupportAlert to guide my choice of software

I was staggered at just how many phone apps need to invade your privacy
- many apps demand access to your contact list, some apps need to push advertising to you
- many apps demand to be able to send data back to the software company

I will never put mine nor my family's personal photos on social media, including Facebook, as Im sure their policies insist that they have lifelong permission to upload and save and to use this precious personal data

For a malicious software to use these bugs, it first needs to be installed on the computer.
I would like to believe that my computer is not infected, so would have preferred not to install these updates. Alas, this is impossible.
I would much prefer having a potential bug rather than having the spectre of a slow-down hovering over my computer, or the meltdown of its performance rating,

Thx for the simple explanation. Was wondering what the panic was all about.

There is discussion that these patches may actually lead to processor slowing and a slowed computer.
It will be interesting to hear just what is the impact these patches have on computer speed, particularly for those who are still using older computers, such as 3-5 years old
For some people, a slowed computer is practically much worse, than a potential vulnerability

Most computers over the last 10 years with Intel and other processors are apparently affected
There should be international class actions against these manufacturers, until they offer recalls and replacement of these processors
These faulty processors were sold not fit for purpose
Obviously industry cant just shut down their computer networks, but they should be offered refunds or replacement fault-free processors, when these are eventually manufactured

Since when did we accept 'software patches' as being a suitable compromise to full replacement of faulty hardware ?

No need to worry too much about speed. Home users are hardly affected. Some large data centers with a lot of (small chunks of data) writing to fast media (SSD) will be hit the worst.

Just apply the patch (patches) MS has posted.

Thank you.
Do you have the same advice for my old Iphone, that is, just accept Apple updates?
Apple admitted its update slowed older Iphones (by up to 50%, leading many to have to buy a new phone)

One word: Android. Customize it, hack it, root it to your heart's content at 1/3 the price. Apple is for rich kids.