Meltdown and Spectre: The Computer Chip Flaws That Brought the World to Heel

However, nobody could predict that the very beginning of 2018 would drop the A-bomb of security flaws onto every single one of us in the form of two appropriately named microchip security flaws, Meltdown and Spectre.

A global warning

Unfortunately, the A-bomb analogy is not an exaggerative metaphor: Meltdown and Spectre do indeed affect anything to do with a microchip. As a matter of fact, according to the government cyber security agency Cert NZ “simply running websites in multiple tabs in a web browser could be enough to expose confidential information such as internet banking passwords to hackers who learn to exploit the underlying flaw”.

However, there are a few differences. By hiding it in a malicious program, Meltdown gives hackers access to the device’s kernel memory and reads secret information like any passwords used in all installed programs. The bug targets Intel CPUs, exploiting a flaw deep inside the processors’ blueprints that haven’t been discovered for nearly 20 years. Ironically, Intel is one of the corporations behind FIDO, a biometric authentication standard that is supposed to replace passwords in the near future.

Meltdown in action

Spectre, on the other hand, is a thousand times worse. It’s one thing that it affects AMD and ARM processors in addition to the ones from Intel – which basically accounts for 90% of all microprocessors in use. What’s more frightening is that Spectre is extremely hard to detect, since it tricks harmless programs into leaking sensitive information from the kernel memory.

In simpler words: regardless of whether the device uses Intel or AMD, iOS or Android, and whether you run antivirus or not, no data is safe, because Meltdown and Spectre are literal battering rams that cannot be stopped until the sufficient protection method is available for everyone.

Taking the necessary countermeasures

Solutions by corporations

Worry not, however, as all major computing companies from Microsoft and Apple to the likes of Google and the manufacturers of the affected CPUs have all realized the severity of this security flaw. Microsoft has already released a security patch that all users will receive automatically via an emergency update, while Apple is also working on something similar.

Google, who has played the good guy this time by discovering the issue back in June 2017, also released a list of useful information regarding what will and should be done – including site isolation in Chrome – which can easily be turned on by typing entering chrome://flags/#enable-site-per-process into the address bar and enabling the feature. Firefox users can also rest easy: version 57.0.4, which was released on January 4 2018, already contains the necessary patches.

However, it’s a high price for these emergency patches: once they are installed you may experience a 5%-30% slowdown in the device’s memory…

Extra protection by password managers

Aside from causing extra struggles for the vast majority of internet users, Meltdown and Spectre put password managers to the ultimate test, too. And since it could be days until the necessary patches arrive, these programs have become the primary protectors of passwords and other sensitive data.

Obviously, a strong master password is a must, as well as not sharing confidential data with others unless necessary – in which case this should only be done from the software itself. Just to be sure, it’s better to replace all your passwords stored in the vault with new ones, which are preferably generated by the program’s own password generator. Granted, it’s a tedious task, but certain programs – like Dashlane – can do that for you automatically.

Turning on two-factor authentication is also highly advised, especially if you have the option to use fingerprints, facial ID or your voice as a secondary authentication option. And if there is the option to rely on a secure browser, such as the one used in Password Boss, you can be sure that it will never disclose any sensitive data.