Recently the world learned about some of the largest vulnerabilities ever to be disclosed to the public. In the first week of January chip manufacturers informed users that new vulnerabilities had been discovered in their processors. These vulnerabilities have been dubbed "Meltdown" and "Spectre". They represent a set of serious security vulnerabilities in computer's processing. These flaws in the microprocessor design allow areas of the computer's memory to be able to be accessed by programs that should not be allowed to do so. The flaws affect nearly every computer chip (computer, smartphone, tablet, and smart device) made in the past 20 years.
The reason for these vulnerabilities are that computers have employed a technique called "speculative execution" which speeds up processing by allowing the computer to begin processing what might be needed next before the program requests the information. For instance, if the program says, "If A is true, compute function X; if A is false, compute function Y", the chip can start computing both functions X and Y in parallel, before it even knows whether A is true or false. Once it knows whether A is true or false, it already has a head start on what comes after, which speeds up processing overall. Or, in another variation, if a chip learns that a program makes use of the same function frequently, it might use idle time to compute that function even when it has not been asked to, just so it has what it thinks the answer will be on hand. Computers also store needed information in special high-speed memory called a "CPU cache". Access to the CPU cache is granted only after a privilege check to determine if a software program is allowed to see the information in it. However, when coupling speculative execution with CPU cache, a hacker can attempt to read protected memory without first passing a privilege check. A program could be written that would allow malicious access to what other programs or users on a computer may be using. This is especially dangerous on servers where many users are accessing many different programs like a set of virtual servers or in a cloud environment. In a cloud environment a hacker could buy an account and then attempt to access other companies' programs and information.
Since these new vulnerabilities are so pervasive, it would seem that there is little that can be done to protect yourself from hackers. However, there are several important steps that you can take.
- First, do not panic. These vulnerabilities have been around for two decades before being discovered and there is no evidence that anyone has actually used Meltdown or Spectre to steal information yet. So there is time for patches to be developed and distributed. Patches for most major cloud vendors have already been put into place to mitigate this vulnerability. Vendors like Dell and HP are releasing patches for individual computers. Windows and Apple have released updates for their operating systems.
- Make sure that you keep your computer up to date. Ensure you have automatic updating for your computer turned on. This is the best defense against any vulnerability. Whenever you see your computer asking you to reboot to install an update, do so in a timely manner. Having the most up to date software on your computer is crucial to being less vulnerable.
- If you have an older computer, you should start thinking about replacing it sooner rather than later. Likewise if you are running software that is no longer supported (such as Windows XP, Internet Explorer 10 or earlier, Office 2010 or earlier), you should upgrade it. Computer vendors typically only release security patches for computers and software that they are currently supporting.
- If you own a business, consult with your IT staff about where you could be vulnerable. Most businesses uses some type of virtual servers or cloud computing today. Ask your cloud computing partner what they have done to minimize any exposure that they have to these vulnerabilities.
- Pay attention to the news and information that is released about Meltdown and Spectre. Throughout January there are been numerous patches released with varying degrees of effectiveness and side effects. A good source of technical information as well as links to patches can be found here.
Here at The First National Bank of Newtown, we are monitoring these vulnerabilities carefully and applying patches to our systems. We take our responsibility to protect your money very seriously and appreciate your trust in us.
