By Andy Massanet, Fort Riley Public AffairsJanuary 19, 2018
FORT RILEY, Kan. -- With the new year, news began to surface regarding two new kinds of threats to computers and other devices consumers use to conduct daily business.
They are called Meltdown and Spectre. Both are processor vulnerabilities discovered by security researchers at Google, as well as academic and private institutions last year, said Mark Franzen, Cyber Security Division Chief, Midwest Region, Fort Riley.
The vulnerabilities make sensitive information hidden in the deepest part of the device's processor potentially available to malicious software.
Franzen became aware of Meltdown and Spectre Jan. 2, but cyber security researchers -- many of who were working independently of one another in Europe and the U.S., according to a Jan. 7 story released on the Wired magazine website -- had discovered the vulnerability over the past year.
The practice of delaying release of such news is common, Franzen said.
"Often times they'll hold onto this information to give vendors a chance to find ways to mitigate it and help people defend against it," he said. "In the case of Apple, they had already released patches to mitigate this over the past two months."
Both operate in similar fashion, but there are differences. According to the pcworld website, Meltdown is the more serious, and the one operating systems are rushing to fix.
The vulnerabilities are in personal computers, mobile devices -- such as cell phones and tablets -- and home automation devices like smart thermostats and WiFi routers.
To be clear, Franzen said, neither Meltdown nor Spectre are viruses; rather, they are vulnerabilities in how processors produce information quickly for users. They are the result of the use of what Franzen called "speculative execution," which processor manufacturers have used over the past 20 years to help produce the speedy computers consumers prefer.
"What it does is, let's say you've got an application open and that's loaded in the processor and it's being worked," Franzen said. "If there is a 'next' button -- and this is a really simplified version of this -- but if there's a 'next' button in that application, what the processor is doing, and what the programming is doing, is automatically assuming you're going to click that next button and already processing what is going to come up next. So instead of you sitting there waiting, it's already preloaded that information. It's speculating that you are going to click 'next' and pre-loading that information."
Since speculative execution has been around so long, Franzen said, "it is hardwired into every electronic device you can think of."
Meltdown and Spectre can be exploited by viruses and other malicious software, Franzen said. Viruses frequently come in the form of emails the user might open.
"That's the root issue," he said. "It's a vulnerability in modern software that can be exploited by malicious software."
Franzen used the example of someone doing bank business online.
"Let's say you've got your banking application loaded," he said. "You're sitting there and you're putting your sensitive banking information in there because (by virtue of the speculative execution the processor uses) it is pre-loading information or holding information in that processor, which could include your bank account, log-in information, things like that, if you open that malicious email while you have the banking application open, the vulnerability will allow that malicious software to look into the processor and see that information sitting there waiting to be processed and it can extract that information. That's the real issue."
Franzen added there are currently no methods where a hacker could remotely exploit this vulnerability without the system user helping them directly by clicking a link or running a malicious application.
Operating system vendors like Microsoft, Android and Apple are already publishing updates to block this within the operating system, he said.
The following are some tips that can help users defend themselves against these threats:
Use the system to check for updates and apply them immediately. Go to the manufacturer's website for all devices and see if other updates are required to mitigate this issue. Computer and device vendors like Dell, HP, Apple, Samsung and LG are developing updates to address this issue in addition to the operating system updates.
This could include, but is not limited to, smart TVs, internet connected thermostats, security cameras and so forth, all of which could be using processors that are vulnerable. It may take some vendors weeks or more to develop the updates, so check back often.
Perform monthly or even weekly maintenance. Take some time to update devices including smart phones, smart TVs, Blu-ray players, game consoles, WiFi routers and computers. This is not difficult as most devices have a simplified "check for updates" option in the settings menus. If the settings on devices aren't set to automatically check for and install updates, turn on that option to make it even easier.