Spectre and Meltdown – should you worry?

Should you worry about the latest scare concerning computer security?

The vulnerability has been in all CPUs over several years at least
The rather scary-sounding Spectre and Meltdown vulnerabilities have been much in the news recently. These are not intentionally-created types of malware. Rather, they are vulnerabilities (that could be exploited by malware) brought about by the way that modern CPUs are designed.

The CPU (Central Processing Unit) is the part of the electronics where computer instructions are carried out. Both of these vulnerabilities arise out of the fact that one of the ways that modern CPUs aim to be even faster in their operation is by anticipating what you will want to do next. To this end, they put stuff in readiness in a place where it can be accessed more quickly. My understanding is that the vulnerabilities work by an indirect method that calculates the content of these “cached” areas by asking for stuff and seeing how long it takes to get it.

So, is this a real worry and what should we do about it?

SpectreFirstly, there is no known malware out there (yet!) that can take advantage of these vulnerabilities to access data it shouldn’t be able to read.

Secondly, there are plenty of other ways that malware can get hold of the same information without calculating the content of memory caches, so has the overall “amount of threat” really gone up significantly?

Thirdly, the manufacturers of all operating systems are already acting to “neutralise the vulnerabilities”. I put that in quotes because it seems that there are lots of practical problems in implementing ways to stop the threats. If you really want to give yourself a scare, try reading this article from Ars Technica.

So, what should we do?

Exactly the same as we should already be doing:

  • Updating operating systems and programs as soon as practicable after being told that an update is available (which means having “automatic updates” turned on, of course)
  • Ensuring that antivirus and antimalware software is present and kept updated
  • Only visiting websites that “seem right”
  • Only opening email attachments and links from trusted sources
  • Taking frequent, adequate, backups. Backups should really be made onto at least two different types of media, by at least two different methods, and held in at least two different locations

MeltdownSo, in practical terms, what’s new then?

Very little. It’s a theoretical new way that has been discovered whereby our IT is not as secure as we would like it to be and we need to take the normal precautions outlined above. I think there are two factors that make such “stories” so very appealing to the mass media – they incite fear (particularly of the unknown) and the effects could (in theory, at least) spread to affect huge numbers of people across all walks of life in a very short space of time. This is manna to the mass media. Nothing better for whipping up the viewing/reading figures than a good dollop of fear.

I’m not being complacent here. You just have to know the number of different backup methods I use to know that no-one could rightly accuse me of complacency when it comes to data security. I suppose I’m just appealing for a level-headed and realistic response.

And why those names?

“Meltdown” comes from the fact that the vulnerability can “melt” the barriers that are meant to keep one program from seeing data and processes relating to another

“Spectre” comes from the CPU’s optimization technique of “speculative execution” whereby it guesses what you will want to do next

– but I don’t think it’s any coincidence that both of those names are a bit scary. Do you?

(Last updated 11/09/2023)