Meltdown and Spectre: Security Flaws Put Your Technology at Risk

IT and security professionals are grappling with two vulnerabilities -- Meltdown and Spectre -- found in the hardware design of nearly every CPU running in computers today. (Graz University of Technology)

ALBANY, N.Y. (January 8, 2018) -- Meltdown and Spectre are the names given to two vulnerabilities that are embedded in the hardware design of just about every Central Processing Unit (CPU) running in computers today. This design flaw has existed for many years, but was only recently discovered and publicly disclosed.

According to the New York Times, these flaws can potentially provide hackers with the means to lift passwords, photos and virtually any kind of data from any device that uses CPUs, including smartphones, iPads, as well as the hardware that powers cloud computing services.

UAlbany CISO Martin Manjak

The University at Albany’s Chief Information Security Officer, Martin Manjak, offered this overview of how these flaws operate, and what can be done to protect your data.

Q: How do these security flaws work?

A: Meltdown removes the isolation that is supposed to be maintained between applications and the system’s hardware, specifically memory (RAM). When an application makes a call for a system resource, it hands off that request to the operating system (OS), which interacts directly with the CPU, disk storage and memory.

Spectre accomplishes the same breakdown, but between the data used by different applications.

In both cases, it means that the data normally restricted to a particular application or the OS can be fetched from memory by a malicious application. This includes passwords or any other data used by the application, such as Social Security numbers pulled from a database.

Q: What are the risks posed to individuals from Meltdown and Spectre?

A: The major risk is to cloud providers and their customers due to the scale and shared nature of their infrastructure. Individual workstations and home computers, while needing the OS patches, are not at high risk.

Q: Is there any way to protect against the security flaws?

A: The flaw exists in the hardware design, but short of replacing every computer on the planet, the immediate fix is to address the flaw at the OS level. This is the course of action that every software vender will have to pursue, and users will have to implement.

Q: How is UAlbany responding to Spectre and Meltdown?

A: Information Technology Services is scheduling server updates for next week. We’ve already initiated patches on our virtual environments, and have begun pushing patches to managed workstations as part of the University’s regular update activities.

Q: What other steps can individuals take to protect their data?

A: The standard safeguards apply to this situation as with any other malware based threat:

• Turn off your machine when not in use.
• Make sure you reboot at least once a month to properly install University distributed updates.
• Confirm all sources of emails containing unexpected attachments or links (or use the Phish Alert add-on to report the message).
• Exercise caution when encountering unexpected prompts while visiting web pages.

Additional Information:

For a good summary, with links to more detailed whitepapers of the Meltdown and Spectre vulnerabilities, please see this page.

For more news, subscribe to UAlbany's RSS headline feeds