Meltdown and Spectre: processor security flaws affect billions of devices

Almost all Intel chips of the last decade are vulnerable to “Meltdown”. “Spectre” affects virtually all computers, cloud servers and smartphones with modern processors. The latest Cliqz Browser v1.17.4 already includes a fix. Users should also update their operating system as soon as possible.

Meltdown and Spectre (Source: Natascha Eibl / CC0 1.0)

Björn GreifEditor

A hardware security flaw is the worst-case scenario for IT systems. If the underlying hardware is not secure, no further security architecture will help. Security researchers discovered two such critical issues in numerous modern processors (CPUs). These errors are two of the most far-reaching vulnerabilities ever known. They theoretically enable attackers to steal data which is currently processed in the system memory. CPU series from several manufacturers are affected, including almost all Intel chips introduced since 1995. Most computers, cloud servers, and mobile devices with Intel, AMD, and ARM CPUs are vulnerable to at least one of the attacks named “Meltdown” and “Spectre“.

Attackers could exploit the hardware bugs by using a malicious program to access confidential data stored in the memory of other running programs. This might include data from password managers or browsers, personal photos, e-mails, instant messages, and even business-critical documents. So far, there are no indications that the flaws have been exploited. However, security researchers from Graz University of Technology have demonstrated in several YouTube videos what is theoretically feasible.

Meltdown basically “melts” security boundaries which are normally enforced by the hardware. It breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also sensitive information, of other programs and the operating system. Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs into leaking sensitive data. Detailed technical information on Meltdown and Spectre can be found in two academic papers and in a blog post by Google’s Project Zero Team, which was involved in the discovery of both vulnerabilities.

Patches are already available or on the way

According to the security researchers, Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre and Meltdown through software patches. Updates for Linux, Windows, and macOS are already available or will be released soon. Cloud providers such as Amazon Web Services have also announced or deployed updates. Mozilla is working on a fix for Firefox, which we will release as soon as possible for our Firefox-based Cliqz Browser. [Update from January 5th: Mozilla has released Firefox 57.0.4 which includes the fix. It is also included in the latest Cliqz Browser v1.17.4 for Windows and Mac, which is now available for download on our website.]

The security updates bypass or disable the vulnerable mechanisms in the processor. This can also slow down the whole system. Initially, there was talk of a possible performance slump of up to 30 percent. By now, the performance loss is expected to be significantly lower.

Users should definitely update their system as soon as patches become available. This applies not only to the operating system itself, but also to programs such as antivirus solutions and browsers. The latest Cliqz version is always available for free download on our website.