AVG Signal Blog Security Threats Megabugs! A Quick 'n Easy Guide to Meltdown and Spectre

Written by Gonzalo Torres
Published on January 23, 2018

What are Meltdown and Spectre?

Two big security flaws in the chips that power nearly every computer, smartphone and tablet on Earth.

Also, what I was planning on naming my daughters one day.

This article contains :

    How do Meltdown and Spectre mess with my devices?

    They potentially compromise your device’s memory, leaving the door open for people to get in and steal some seriously sensitive personal data — passwords, pictures, payment details, credit card numbers…

    Are they different from each other?

    Yes, Meltdown and Spectre are two different flaws.

    • Meltdown affects every computer, smartphone and tablet with an Intel processor, and it also affects cloud services — potentially, hackers could rent out a virtual server on the shared cloud service and use it to access data from other users.

    • Spectre affects all processors on the market, not just Intel ones. It also screws with web browsers: again, a hacker who knows what he or she’s doing could potentially write malicious JavaScript code, add it to a website, and make your browser reveal your passwords.

    Meltdown and Spectre are most often talked about as a duo because they were discovered nearly at the same time. If you want to know more about how they differ, Google Project Zero has a very good, very technical post.

    Which devices do they affect? Do they affect me?

    Do you have a PC, laptop, Mac computer, smartphone or tablet running Windows, Linux, Android or iOS?

    Then yes, you’re most likely affected.

    How destructive are they, really?

    On one hand, you may have noticed we keep using the word ‘potentially’. This is because there have been no cyber attacks exploiting these two flaws. (That we know of. Yet.)

    There are also not the sort of security defects that can be exploited by just anyone — you’d need to really know what you’re doing.

    On the other hand, Meltdown and Spectre affect so many devices worldwide, and to such a degree, that when they were first reported, security analysts thought they were fake — and are now calling them “catastrophic”.

    So, pretty, pretty destructive. Potentially.

    Who created Meltdown and Spectre?

    These bugs weren’t created on purpose. They’re not viruses or malware — they are just security gaps we didn’t know we have.

    In order to make our devices work as fast as we want them to, computer chip manufacturers built processors that can anticipate some of our commands before we make them, based on commands we’ve made before.

    We’ve just discovered that these “predictive memory” capabilities (the official name for them is speculative execution) can be hacked and used against us. Again, potentially.

    In a nutshell, by making devices work super fast, we accidentally made them super vulnerable.

    What to do about Meltdown and Spectre

    There are things you can do to help fix and minimize the fallout from Meltdown and Spectre:

    • Make sure you install Windows patches and updates

      Microsoft has been providing Windows 10, 8 and 7 users with an automatic fix. You can open your Windows Settings (or Control Panel) and Windows Update to make sure you’ve gotten your update. It's unclear at this point if older versions of Windows that aren't supported by Microsoft will get any updates.

    • Update your Apple gadgets

      Apple has released mitigations in iOS 11.2, macOS 10.13.2, tvOS 11.2, iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. It seems Apple Watch is not affected. Just update everything.

    • Linux user? Get patched

      Linux kernel developers have released three different fixes to deal with Meltdown and Spectre.

    • Update your browser

      This is important because, as we mentioned above, someone could write malicious JavaScript and steal your passwords and personal details. Firefox 57 and the latest versions of Internet Explorer and Edge for Windows 10 come with cooked-in fixes. Google’s Chrome 64 browser will also have a fix. Safari has also been protected and updated.

    • Update your firmware

      As in, the software that you get from the company that made your device — or its components. Intel has an update ready, as does Microsoft for its Surface users. Got a non-Intel system? Contact your computer manufacture and see if they have an update ready.

    • Update your apps. Regularly.

      That’s not really specific to Meltdown and Spectre, but it’s just good advice in general. The sooner you update them, the sooner you get the latest security fixes.

    Why is my device suddenly slower!?

    Remember how we told you earlier that by designing devices to be super fast, we also accidentally designed them to be super vulnerable?

    Well, as it turns out, by blocking the security problems originating from this speed, you also end up… blocking some speed. Sometimes a lot of speed. Up to 40 percent, in fact.

    These patches come with other secondary effects — namely, unexpected reboots. Surprise!

    And no, you cannot opt out of the patches. Them’s the breaks.

    So now, what?

    While dealing with a noticeably slower computer that randomly restarts by itself is a royal pain in the behind, it sure beats having your credit card and online banking password stolen — and since there’s no way of opting out of these cures anyway, we might as well hold on tight and ride out these performance glitches until a permanent solution can be found…

    … which could take years, since it involves re-designing computer chips from scratch and putting them out in the mass market by way of new computers, smartphones and tablets.

    So now, we wait.

    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install
    Gonzalo Torres