Spectre and Meltdown Exploits - What You Need to Know

Dennis Faas's picture

Infopackets Reader Steve P. writes:

" Dear Dennis,

There has been a whirlwind of news on the Internet regarding the 'Spectre' and 'Meltdown' exploits that affect all microprocessors (CPUs) from 1995 and on. I am afraid my computer is at risk but I don't understand all the tecno-talk. Should I be worried? "

My response:

The short answer is: yes and no, mostly no (once patches are released). At the end of this article I'll offer advice on what you can do to stay protected.

What does the Spectre and Meltdown Exploit Mean?

I have been following the news for the last few days and here is what I understand:

First, the exploit is not a Windows-only problem. This is a hardware problem and includes any electronic device with a central processing unit (CPU) made from 1995 and on. This includes: smartphones, tablets, Android, iOS, Mac, Linux, Chromebooks, Windows - you name it. Intel CPUs are reportedly susceptible to both Spectre and Meltdown exploits, whereas AMD CPUs are only susceptible to Spectre exploits. The latter is considerably more difficult to pull off.

The exploits mean that information on a compromised system can be extracted (in other words: stolen and read by third parties - usually cyber criminals). In order to mitigate the attack, operating system patches are being released. It is said that these patches may result in I/O (input output) performance loss on applications that rely on heavy I/O, such as databases and possibly virtual machines. Older processors (previous to Intel Skylake and AMD Ryzen - pre 2015-era) would be most affected by the I/O performance loss. Put another way: everyday desktop users most likely won't need to worry about performance loss after being patched.

What Patches Have Been Issued for Spectre and Meltdown?

Patches for the exploits have started rolling out for Windows 10 machines, with Windows 7 and 8 machines being patched next Tuesday (January 9, 2018). Other posts suggest that antivirus needs to be updated before you can apply the patch. Windows XP and Server 2003 don't yet have patches; I can't seem to find any information about emergency patches issued for Windows Vista (which is technically no longer supported by Microsoft).

The operating system patches themselves serve to mitigate the attack, however, in some instances the CPU microcode needs to be updated using firmware update to the BIOS (if available). The operating system kernel can also 'update' the CPU microcode but this method is volatile, meaning that the microcode update is lost after the system loses power, then comes back when the operating system is loaded. In other words, this microcode update method is more susceptible to attack than a BIOS update.

Other posts suggest that the only way to fix the root case of the Spectre exploit is to buy a new processor, once they have been redesigned to be exploit-free. I cannot confirm whether or not this is true, or if a magic bullet patch will be developed to permanently fix the issue - only time will tell.

Those are the most pressing issues I have read this far - feel free to comment below.

How to Stay Protected Against Spectre and Meltdown

If you own a Windows PC - the best way to stay protected is to:

  • Use an up-to-date operating system. If you're running Windows XP, 2003, Vista, etc - it's time to move on because you can't keep relying on "hope" that Microsoft will issue emergency patches to fix big bugs. Even so, most 'everyday' exploits currently won't be patched if the operating system is no longer supported; this exploit is only getting the news because it affects almost everyone.
  • Patch your system with Windows Update once patches become available.
  • Make sure your Windows Update is not broken and that you are receiving updates. Here's how to tell if your Windows Update is broken.
  • Check for antivirus updates and apply them - this will likely require a reboot.
  • Make regular backups of your system using a disk image.

I hope that helps. If you need help with fixing a broken Windows Update I can help using my remote desktop support service. Simply contact me briefly describing the issue and I will get back to you as soon a possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question -- or even a computer problem that needs fixing -- please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 4.6 (7 votes)

Comments

rep's picture

Am I right in thinking that any passwords etc. which are stored in the CPU’s “memory” are lost when the computer is shut down? If so, then a safe procedure for internet banking (as far as these new threats are concerned) would be as follows:

1. Restart your computer.
2. Start your internet browser with a blank page.
3. Go to your trusted bank webpage and do your banking.
4. Restart your computer — any sensitive information in the CPU’s memory will have been lost. Won't it?

Dennis Faas's picture

As soon as an exploit is installed on the system it can stealthily read the information stored on your hard drive or memory, then relay that information to cyber criminals. That is the whole conundrum. When you power off the system all memory (RAM) is lost, however that same information will be loaded back into RAM when you access the same information on the hard drive - which will also be read by the exploit (if you were infected). This is no different than how a virus or malware works. The issue here is that this exploit is hardware related (directly tied to the CPU) and not software (usually it's MS Windows that has the exploit). That said, software can be made to "patch" the hardware (with performance loss, supposedly).

rep's picture

Of course I was naively assuming that the system was clean, i.e. hadn't yet been infected. But am I right in thinking that the passwords etc. which are stored in the CPU's "memory" (when I log in to my bank) are lost when the computer is powered down (as is the case with RAM memory)?

Dennis Faas's picture

I've decided to make this discussion its own separate post - so I've carried on the conversation here.