Everyone has heard the buzz in the news about major exploits discovered in processors called Meltdown & Spectre. Although the media is vague about these exploits, as it’s a complicated issue, the conclusion is clear: these exploits are big security concerns that could potentially leak passwords, private information, and financial data.
Any computer made in the past 20 years is vulnerable. Since that affects 100% of our customers, we’ve decided to put together a quick bulletin to bring some clarity to this issue.
Who is affected?
There are two major flaws that have been found in major processors from Intel, AMD, and ARM. That means these exploits exist for all Windows, Apple/Mac, Google Chrome, Android & Linux laptops, desktops, tablets and phones (and iPhones).
If you have a computer, phone, or tablet, you are affected by these flaws.
What can we do to fix it?
The good news is, many variants of these two exploits already have patches ready to resolve the issues from a software standpoint. If you’re not sure how to get the patch installed, we can help install the patches at our store. No appointment is necessary, we can patch this exploit with same-day turnaround.
Because of the severity of this exploit, we are offering for a limited time a discount on service for these two exploits. Patch one computer / phone, and get a second one patched for free. Bring all of your phones, computers, and tablets for same-day patches. Don’t delay- get patched today!
The bad news is, at least one variant of Spectre is more complicated than the others, and currently does not have a fix. There’s a chance this exploit may take years to resolve, or it may require manufacturers to re-think how they design future processors. Stay subscribed to our newsletter and we will keep you updated as soon as a patch is announced.
What are the exploits?
We’ve attempted to make our description accessible to the average non-techie, but if you don’t want to read the tech mumbo-jumbo, feel free to stop in to our store any time and get a fix.
Computer processors (or CPUs) are designed to follow a set of instructions. Much like a cook follows a recipe, CPUs follow the instructions from start to finish in order to perform every-day tasks that we use computers for.
CPU engineers discovered they can make tasks complete much quicker if a fast CPU could process multiple parts of the instructions at the same time (in parallel). This is called speculative execution.
Sometimes, instructions at the end of a program rely on the results of earlier parts of the program. For instance, your email program plays a chime when new email comes in (You’ve got mail!), but it can’t know whether to play the sound until after the email has been checked! The software wants to perform quickly so in anticipation it loads into memory and prepares the new-email chime to play as soon as it gets the go-ahead.
But what happens when the email is checked and there’s no email? The CPU abandons the instructions to play the chime it was processing just a moment before.
While not limited to email-chimes, this basic example demonstrates how speculative execution processes parts of programs that later are realized to be unnecessary. This in itself is not bad.
The problem arises because normal safeguards that keep programs from reading protected information (such as passwords or credit card numbers from another program or browser tab) do not apply to the speculative execution threads. CPU engineers believed they fixed this problem by simply preventing speculative threads that violate the rules from finishing their job. However a problem arose from this:
In our example of the new-email chime, even though the thread was abandoned as soon as the program realized there was no new email, the chime itself got loaded into memory (the CPU cache) and still sits there. If another program needed to use the same new-email chime sound, they would find that it’s already in cache. That means the rule-breaking thread that didn’t complete left a small trace for other programs to know it was there.
Now, email chimes are not really a big security threat, and in reality the CPU cache wouldn’t really load sound files. But a real-life example follows the same rules.
A portion of a rogue-program is set to read your banking password from another tab on your web browser. Speculative execution performs this task in advance and loads the relevant data into the CPU cache. Since this breaks the rules, the rule-breaking thread is discarded and the results are never given to the program. The program then tests to see what information can be accessed quickly (meaning it’s in cache) or what information takes long to retrieve (it’s not in active cache).
From there, attackers are able to piece together information in other programs and browser tabs that it shouldn’t have access to. Credit cards, passwords, social security numbers, the possibilities are endless.
Now Spectre and Meltdown are two different exploits with two different fixes, but both are related to the same sort of issue.
Our techs at Same Day Computer are on stand-by ready to apply fixes
If you have any questions, feel free to give us a call: 603-524-1400