Spectre and Meltdown - Should You Worry?
You may have heard of Spectre and Meltdown, two security vulnerabilities that exist in virtually every CPU ever made by the chip giants Intel, AMD, and ARM. Either vulnerability can expose your system to “arbitrary code execution,” the geeky way to say, “A hacker could take complete control of your computer” and run any malware he wants on it. Read on to find out more, and if your computer is vulnerable to these attacks... |
The Specter of a Meltdown?
The Spectre flaw enables one compromised program, such as a web browser, to compromise another program running on the same machine, such as Microsoft Word. If a hacker can penetrate your browser via the Internet, he can leapfrog from there across every program running on the system.
The Meltdown flaw allows hackers to gain access to a portion of a computer's memory that should be off-limits to all software except the operating system. And Meltdown doesn't care if you run Windows, Linux, or Mac OS X. Any of those systems may be vulnerable.
As Meltdown’s name suggests, truly bad things can happen when a rogue program gains access to that portions of memory that should only be accessible by the operating system.. You may have seen the dreaded Blue Screen Of Death (BSOD) where Windows displays the cryptic “fatal memory fault at address…” Boom! Crash!
But what’s the point of crashing some stranger’s computer? “Some people’s children” just do it for the “lulz,” that is, for laughs. Global superpowers may do it in the name of “national security,” their intelligence agencies spending unlimited money to develop nuclear-grade malware… which, as we now know, “spook shops” like the NSA have allowed to escape into the hands of the “children.”
Worse, Meltdown enables an attacker to access all memory, including areas where your personal information is stored while you are working with it. There lies the profit motive that drives the most widespread attacks. The mercenary “adults” can use Meltdown to make millions.
The titans of tech including chipmakers, Microsoft, Apple, and the Linux community, have scrambled to issue hardware and software patches for Spectre and Meltdown. All hands on deck, as they say!
But there is still lingering uncertainty about whether the patches work, or if they do more harm than good.
As of January 23, Wired! magazine reported that firmware patches issued hastily by Intel, AMD, and ARM to close Meltdown vulnerabilities in their chips “can inadvertently cause serious problems beyond processing slowdowns, including random restarts, and even the blue screen of death.” https://goo.gl/Hczrq1 Microsoft went so far as to release a patch that disabled the Intel patch.
On January 22, father-of-Linux Linux Torvalds said, in one of his more diplomatic comments, “the patches are COMPLETE AND UTTER GARBAGE.” Speaking of Intel’s patch crisis managers, he asked rhetorically, “Has anybody talked to them and told them they are f***ing insane?” At least he used an asterisk. (I added two more.)
Since then, there has been thunderous silence from the tech press corps. Does that mean the coast is clear? Is it safe to install firmware updates to your CPU and BIOS, as Intel, AMD, and ARM urge you to do? And how is that done, exactly?
We Need a Gadget Inspector
Before tinkering with the most delicate parts of your system’s delicate “brain,” I recommend that you run the InSpectre (“inspector,” get it?) utility developed by Steve Gibson of Gibson Research Corp. InSpectre “was designed to clarify every system's current situation so that appropriate measures can be taken to update the system's hardware and software for maximum security and performance,” according to no less an authority than itself. (Sorry, I couldn’t let that one pass by!)
InSpectre is freeware, less than 200 KB of code, and perfectly safe to run. It will analyze your Windows PC no matter who made its CPU and BIOS, detecting and reporting its vulnerablities, if any, to Spectre or Meltdown. InSpectre reports its findings in clear, simple terms that even non-geeks can readily understand. (I don't know of a similar utility for Linux or Mac OS X systems.)
Best of all, its user interface includes two big buttons allowing you to Enable or Disable protection for Meltdown and/or Spectre. If either is greyed out, your system lacks that type of protection. Gibson goes into detail on why you might want to disable either of the protection options, to avoid the performance penalty they may impose. But unless you are noticing a marked decline in speed, I would not recommend doing so.
If InSpectre reports that your PC will remain vulnerable to Spectre or Meltdown until its firmware is updated, then it will be necessary to contact the maker of your PC to download a firmware patch specific to that make/model of PC. A Microsoft Support Page bears a “List of OEM /Server device manufacturers,” including links to their respective Spectre/Meltdown firmware and BIOS update help pages. https://goo.gl/ZsGbdt
The only annoying things about InSpectre are the goofy sound effects, and the display of the results. Looking at InSpectre report is a bit clunky, because the window cannot be resized, and the small font can be hard to read. Position your pointer anywhere within InSpectre’s text window, press Ctrl-A to “select all,” then Ctrl-C to copy the selection, and then Ctrl-V to paste the report into a word processor or text editor. Then you can make the text as big as you like, save the report, or print it.
The best protection against Spectre on the operating system side, as opposed to firmware and BIOS, is Microsoft Windows 10, Fall Creator’s Update, version 1709. Automatic updates are on by default in Windows 10, so you should have v 1709 unless you have deliberately delayed its installation. If you have, go to Windows Update Settings and allow v 1709 to be installed.
Windows 7 users should have auto-updates enabled, too. Run Windows Update and let it install all critical and important updates to protect your system as much as possible via Windows.
It is shocking to learn that nearly everything digital, from desktop PCs to phones and tablets to Internet of Things things, contains a chip that is vulnerable to Spectre or Meltdown. But bear in mind that the world is still not on fire; these vulnerabilities can and are being fixed, if they are not already fixed in your device(s). For now my best advice is “Keep calm and carry on,” auto-updating all of your software.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 5 Feb 2018
For Fun: Buy Bob a Snickers. |
Prev Article: Microsoft Takes on the Scammers |
The Top Twenty |
Next Article: Avoid These Online Tax Scams |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Spectre and Meltdown - Should You Worry? (Posted: 5 Feb 2018)
Source: https://askbobrankin.com/spectre_and_meltdown_should_you_worry.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Spectre and Meltdown - Should You Worry?"
Posted by:
Mark H.
05 Feb 2018
Good summary, Bob. I have a laptop and a desktop PC, both manufactured by Dell. It doesn't appear that Dell is going to update the BIOS for either model due to their ages. The laptop is about 6 years old and the desktop is 5. Both are running Windows 10 (1709) with no issues. The only option other than replacement is to keep the system up to date and keep security software updated.
Posted by:
RandiO
05 Feb 2018
Usually, I am not a freaked-out conspiracy theorist. Unfortunately, I cannot help but wonder if these "flaws" were just human error or if they were really back doors or traps, at the highest levels.
Posted by:
Dan W.
05 Feb 2018
I'm confused. In your article you say that Windows 10 version 1709 is good protection against Spectre.
I downloaded InSpectre and ran it as an administrator. I get the message that my system is not protected against either Meltdown or Spectre. However, even after I've run InSpectre as an administrator, the buttons to enable Spectre and Meltdown protection are grayed out.
What have I done wrong?
Thank for your help.
Posted by:
Paul S
05 Feb 2018
Dan W.
Read the Frequently Asked Question and Answer on the Gibson site https://www.grc.com/inspectre.htm
Essentially, if your system is not protected, then the protection can't be turned off.
Posted by:
Dan W.
05 Feb 2018
Paul S.
It says my system is NOT protected and the buttons that are grayed out say TURN ON PROTECTION which is what I would do, but I can't.
EDITOR'S NOTE: Exactly, if your system does not have the patch (protection) for either of the flaws, then the buttons to enable/disable will not be functional. You need to run Windows Update to get the patches.
Posted by:
Pat
05 Feb 2018
I decided to check for that update, and my computer says it was installed on 2/1. Then it says it tried 3 times to load it again on 2/2. Now in December I had a problem with a download that tried 7 times and said it was for AMD. I have Intel processers. That update made me have to completely go back to the beginning on my computer. I actually had to call an expert in to reload everything. Then it happened again last month, but on a smaller scale. I hope it's not happening again. My operating system is Windows 10 Pro.
Posted by:
Harry
05 Feb 2018
Just to remark that in order to exploit Spectre and Meltdown, the computer first must be seriously infected by a virus.
As most computers are (hopefully) not infected, they have nothing to be afraid of. And if a computer is infected to that degree, Spectre and Meltdown are not the worst problem, since exploiting them is not that easy. There are much easier exploits for a virus to do.
I can't escape the feeling that this is a big storm in a small teacup.
Posted by:
Jim M
05 Feb 2018
I run multiple LinuxOS's on an Intel NUC and have not seen anything about Spectre and Meltdown. I ran InSpectre using Wine, but it just said I was unprotected. I'm in agreement with Harry above.
Posted by:
bb
05 Feb 2018
One thing to keep in mind is that have been zero exploits found in the wild from either meltdown or spectre. I'm sure the bad guys are trying to create some virus but exploiting these vulnerabilities is really hard. (Intel originally found these in 1992, but decided it wasn't worth fixing as there were much easier ways to mess up a CPU.) That was then this is now.
Second thing is you have to have malware running on your machine. No malware, no threat to you. Although this is not a problem for end users, it a *big* problem for business and industry that have to count on separation between users. With these vulnerabilities one user on a big web server could exploit all the other users, and possibly the system itself.
Bottom line: end users on a single PC, Mac or Android - don't sweat it. Accept and install updates as they are provided. Big companies and industries - sweat it!
Posted by:
Julie M
05 Feb 2018
I allowed the auto-install of the Fall Creators Update on Win10, and afterward, my PC was unstable and I had never been so concerned for its health, or when it would become unusable. After about 2 weeks of tolerating that, I did a system restore. It is still not back to normal but much more stable and tolerable.
Posted by:
Bernie
06 Feb 2018
Just asking, has anyone thought that meltdown and
spectre is a big ploy by Microsoft to sell Windows 10. I have noticed that the prices have went up and even refurb computers running Window 10 are more expensive. Tried to install Win. 10 when it was free, but in crashed my machine more than one time. Just asking don't trust Microsoft.
Posted by:
clyde
06 Feb 2018
I don't think about it I run PCMATIC
Clyde
Posted by:
RandiO
06 Feb 2018
Mr. Rankin, I plead for your confirmation, as the way I understand the problem.
Since the flaw is within the Intel CPU core; the patch that is being provided by the OperatingSystem is strictly a band-aid fix (w/efficacy still in question...) My motherboard maker has already issued a BIOS upgrade to 'flash' my i7-6700K CPU code for this flaw. (I have also been notified by my Modem/Router and NAS boxes need a similar flash).
Posted by:
Kerry
06 Feb 2018
Thanks for your excellent article Bob. I wasn't aware of InSpectre so ran it and it looks like I'm protected against Meltdown by Windows 10 and need a BIOS update for Spectre.
Posted by:
David
06 Feb 2018
"I don't think about it I run PCMATIC"
Clyde, me luv you long time! LMAO
Posted by:
SamG
06 Feb 2018
bb; Do you think Equifax's IT department will "sweat it"? These concerned me for a day or two. But since Dell or HP probably won't get Intel to work with them to repair older processors, what's the point? And the new Android phone I bought isn't a Google device so expecting a correction from the manufacturer is like hoping to win the lottery when one isn't playing.
And flashing my computers bios? NO WAY. Several times I purchased and installed updated bios chips and once a motherboard after trying to flash bios.
Posted by:
Joe
06 Feb 2018
In the 9th graf, Mr. Torvald’s first name should read “Linus,” not “Linux.”
Posted by:
Gary
06 Feb 2018
Another satisfied PC Matic user here in Southeast Wisconsin!