Meltdown and Spectre - Every computer/phone at risk

  • Thread starter Thread starter Greg Bernhardt
  • Start date Start date
Click For Summary

Discussion Overview

The discussion revolves around the vulnerabilities known as Meltdown and Spectre, which affect nearly all modern CPUs. Participants explore the nature of these flaws, their implications for security, and the effectiveness of proposed fixes. The conversation includes technical explanations, potential attack scenarios, and the performance impacts of patches.

Discussion Character

  • Exploratory
  • Technical explanation
  • Debate/contested

Main Points Raised

  • Some participants describe Meltdown and Spectre as flaws in CPU architecture that allow unauthorized access to memory and data.
  • One participant suggests that the fixes for these vulnerabilities do not fully resolve the issues but merely slow down potential attacks.
  • There is speculation about the possibility of remote attacks exploiting these vulnerabilities, with varying opinions on the feasibility of such methods.
  • Another participant emphasizes the differences between Meltdown and Spectre, noting that Meltdown poses a more immediate threat than Spectre.
  • Concerns are raised about the performance impact of patches, with one participant mentioning a potential 30% decrease in performance for affected systems.
  • Participants discuss the necessity of antivirus protection and caution in software usage to mitigate risks associated with these vulnerabilities.

Areas of Agreement / Disagreement

Participants express a range of views on the nature of the vulnerabilities, the effectiveness of fixes, and the likelihood of attacks. There is no consensus on the best approach to mitigate risks or the implications of the vulnerabilities.

Contextual Notes

Some discussions highlight the complexity of the vulnerabilities and the limitations of current understanding regarding their exploitation and mitigation. There are references to the need for firmware updates and the potential for existing infections to complicate security measures.

  • #31
Australian Cyber Security Centre:
https://www.acsc.gov.au/news/update-on-processor-vulnerabilities-spectre-meltdown.html
 
Computer science news on Phys.org
  • #33
Bruce Schneier is a prominent computer security expert. Here are some excerpts from his blog post on this topic. But I recommend that you read the whole thing (1083 words)

https://www.schneier.com/crypto-gram/archives/2018/0115.html#1 said:
"Throw it away and buy a new one" is ridiculous security advice, but it's what US-CERT recommends. It is also unworkable. The problem is that there isn't anything to buy that isn't vulnerable. Pretty much every major processor made in the past 20 years is vulnerable...Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.

This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There...aren't mechanisms to push patches onto the devices.
...
The second is that some of the patches require updating the computer's firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong.
...
The final reason is...These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.
...
It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it.
...
Spectre and Meltdown ...only affect the confidentiality of data.
...
For the average user, this is just another attack method amongst many...It's a much bigger problem for cloud vendors...

Of particular significance is where he said, "...only affect the confidentiality of data." That means that these attacks can't crash computers or cause them to stop working. That is a critical point.
 
  • Like
Likes   Reactions: Greg Bernhardt
  • #34
While these newly found hardware level vulnerabilities are indeed serious it is also important to keep perspective on how they affect us or can affect us, first as individuals and secondly "in the wild" using the services of others. One fact remains that has always been true and that is the first line of security is restricted access. The greatest compromise of security is physical access. If someone can sit at your keyboard it's nearly impossible to be secure against a determined and knowledgeable attack. The only slightly reduced risk is if the person at the keys can be induced to enable an attack by usually nefarious means like getting that person to allow or even introduce malicious code by clickbait or thumbdrive.

Remote access is substantially easier to secure, or at least potentially so on your personal PC, but much more vulnerable on some of our embedded devices and, of course in the cloud where restricted access is often anathema to doing business. This is partly why credit card farmers don't and haven't ever targeted individual PCs but rather that of banks. Why go after one account when one can harvest many thousands with only a little more work?

That last bit should be a clue as to where the greatest vulnerabilities lie and why we shouldn't be freaking out just because one more, or three more, vulnerabilities have been discovered. Granted that Intel's inclusion of the now expanded functions of the ME, which has access to drives and wifi even when owners view their PCs as essentially powered "Off" and Win10's ability, by individual user's granted access, to read even encrypted disks and farm data which can be and is sent via insecure wifi, have seriously "upped the ante", still it is the Cloud and Internet Enterprise that has millions, even billions, at stake and are the somewhat "low hanging fruit". Individually, limited physical access, a properly configured 2-way firewall and a predilection to avoid clickbait renders even these new vulnerabilities to minimal risk. Don't over react. We can afford to wait and see at least for now.
 
  • #35
enorbet said:
While these newly found hardware level vulnerabilities are indeed serious it is also important to keep perspective on how they affect us or can affect us, first as individuals and secondly "in the wild" using the services of others. One fact remains that has always been true and that is the first line of security is restricted access. The greatest compromise of security is physical access. If someone can sit at your keyboard it's nearly impossible to be secure against a determined and knowledgeable attack. The only slightly reduced risk is if the person at the keys can be induced to enable an attack by usually nefarious means like getting that person to allow or even introduce malicious code by clickbait or thumbdrive.

Remote access is substantially easier to secure...

Well, the problem is, javascript or flash code running in your browser is in this terminology a _local_ attack.

Remote attack is someone out there on the net sending some packets at you, or looking at your packets flying past him.
 
  • Like
Likes   Reactions: PeterDonis
  • #36
nikkkom said:
Well, the problem is, javascript or flash code running in your browser is in this terminology a _local_ attack.

Remote attack is someone out there on the net sending some packets at you, or looking at your packets flying past him.

Yes that can be defined as a local attack since it requires one either activating the code or allowing that code to activate by default. The former is usually in the form of some clickbait but also includes opening pages, including email, of unknown sources. It is, after all, possible to embed code in things like jpeg files. The latter is only common among those who do not use addons like NoScript or setup Java and Flash to always ask before running. This is also one of many good reasons to always use bi-directional firewalls since so much of malware requires some "phone home" action. This, so far, isn't the case with Meltdown and Spectre, unless it is delivered as an attachment, whether open, disguised, or hidden, with a self-propagating element included. This will likely occur since being able to view otherwise hidden and privileged data is useless unless some means to view or exploit it are included.

What constitutes secure behavior is still much the same as always and hopefully common knowledge to everyone here on Physics Forums. If not, such information is easily found and implemented.
 
  • #37
enorbet said:
The latter is only common among those who do not use addons like NoScript or setup Java and Flash to always ask before running.

That's probably "only" 99.99% of all browser users.
 
  • Like
Likes   Reactions: Tom.G
  • #38
nikkkom said:
That's probably "only" 99.99% of all browser users.

While that may be regrettably so, anyone who knows anything about PC security considers such practice for anyone concerned about Meltdown and Spectre to be akin to worrying about their lack of motion sensor triggered lighting while leaving on vacation with their front and back doors not only unlocked but wide open. ;)
 

Similar threads

Windows 10 Update - Caused Loop (Need a Computer )
  • · Replies 12 ·
Replies
12
Views
4K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
  • · Replies 8 ·
Replies
8
Views
4K
  • Sticky
Getting Started With Computers and Programming
  • · Replies 13 ·
Replies
13
Views
8K
Current and Future AI Threats to Humanity and the Human Response
  • · Replies 10 ·
Replies
10
Views
5K
STOP: 0x0000008E (0xC000005, 0XBF04DF7B, 0xED924B18 0X000000000)
  • · Replies 23 ·
Replies
23
Views
6K