Via complicated CVE codes, two hijacking vulnerabilities named Spectre and Meltdown were revealed to the public on Jan. 3.
These security flaws affect every Intel computer chip made in the last 20 years. That means a majority of computer, desktop, laptop, tablet and smartphone chips have this vulnerability that can allow a hacker to access sensitive information from anywhere. Meltdown got its name from the ability to “melt the border between programs and the operating system,” according to one of the team members who discovered Meltdown Michael Shwarz.
Think of Spectre and Meltdown as three people: Spectre is the husband and wife team that hijacks computers in a more complicated way and go undetected because they live in a white-picket fenced house in the suburbs and have 2.5 children and a dog named Fozzie.
Spectre and Meltdown surfaced after various individual reports were made by places like Google Project Zero, Cyberus Technology, Graz University of Technology and Data61. So what are these vulnerabilities, what do they affect and what can be done to prevent them from affecting personal computers everywhere?
“To take advantage of Meltdown, hackers could rent space on a cloud service, just like any other business customer,” said Cade Metz and Nicole Perlroth in a report for the New York Times. “Once they were on the service, the flaw would allow them to grab information like passwords from other customers.”
Spectre, which gets its name from its root cause speculative execution, is actually the name for two variants of the same exploitation. It is the worst of the two, with the ability to reveal secret data and to go undetected.
“There are various ways that could happen. Attackers could fool consumers into downloading software in an email, from an app store or visiting an infected website,” said Metz.
Meltdown is the newest hacker who is learning how to hijack but isn’t quite good at it yet because he leaves tracks. Who is more likely to fly under the radar? Spectre.
How is this fixable? According to the CSO Online, “the fundamental vulnerability exists at the hardware level and cannot be patched. However, most vendors are releasing software patches that work around the problems.”
Google, Intel, Apple and Microsoft have already released patches to prevent or circumvent the effects of these vulnerabilities.
“It’s important to keep all browsers up to date,” said Josh Fruhlinger in a CSO report.
Delaying an update to Google Chrome, Safari or Firefox could mean the difference between safety and personal information being sold on the dark web.