Just when you thought it was safe to use your computer again, a new computer exploit rose from the mist, and this time, unlike with some past exploits where only certain operating systems or software packages were targeted, it affects almost everything. Known as “Spectre” and “Meltdown,” these ominous-sounding names reveal the feelings of the researchers who first discovered these issues, and they affect a range of products from personal computers and smartphones all the way up to the computers that form the backbone of “cloud” infrastructure.
The problem started with the unstoppable march of progress. We demanded faster and better performance from the chips in our computers, and to do this, computer designers introduced “speculative execution,” where instead of waiting for a user to request some function, computers perform functions ahead of time and then utilize their caches. Unfortunately, this created two problems that now affect processors using this technique, indirectly creating the Meltdown and Spectre exploits.
The Meltdown exploit occurs when someone uses speculative execution to query data that should be inaccessible to the attacker, but the moment they are queried, they are placed in the cache to speed up processing, leaving them vulnerable as a result. Meltdown primarily affects PCs and cloud computing as well as almost every Intel processor released since 1995, some ARM processors and, every now and then, smartphones.
The Spectre bug occurs by training the computer to misuse its branch prediction process (a form of speculative execution) to access data that should not be accessible. Spectre affects Intel, ARM-based, IBM, and AMD processors, meaning that it affects the same computers as Meltdown with the addition of smartphones.
Spectre and Meltdown were independently discovered in June 2017 by researchers around the world, and the original plan was to publicly release information in January; however, such a wide-reaching problem required informing dozens of stakeholders and pushing updates to end users. As speculative execution was used to increase performance, it led to the disabling of some features for security, which led to slowdowns, which led to computer enthusiasts becoming curious as to why out-of-schedule patches were being released, causing performance hits. This curiosity led to rumors and discussion, forcing Google to publicize the news early.
Spectre and Meltdown are wide-ranging problems that will linger with us for years. Patches have been released for both, but issues with their integration have caused some manufacturers, such as Intel, to suggest not installing their original patches and wait for better ones to become available. Nevertheless, the best practical protection you can take is installing updates as soon as they become available as well as periodically running good security software; hackers must have access to your computer to try and exploit these bugs. These common-sense precautions are steps we should all be taking anyway as part of computer maintenance and care.
These dual-faults create uncomfortable questions about how far we are willing to push technology to be faster and better at the expense of security. With the rapid pace of fields such as artificial intelligence and smarthomes, a similar bug could cause even greater damage in the future. While current evidence remains unclear on anyone using these bugs successfully, the potential exists and will continue to exist for some time. This should engender a deeper philosophical look at the balance between progress and security as computing devices become more and more unavoidable in our lives.