“Spectre” sounds like an international spy organization. “Meltdown” doesn’t sound much less sinister. Those are the handles for two attacks exploiting significant design flaws affecting microprocessors, and allowing passwords and other private data like crypto-keys to be stolen. Intel microprocessors are most affected, but they’re not the only ones. Reporting by The Register this week suggests Meltdown affects mainly Intel processors, while Spectre affects processors from Intel, AMD and Arm.
What does that all mean?
A microprocessor is a processor which sits on a micro-chip. A computer’s central processing unit (CPU) sits on the micro-chip or several micro-chips. This is where the basic functionality of computing happens, relying on the micro-chip’s memory. A flaw in modern microprocessors, primarily from Intel, has been exposing memory components to user programs, potentially allowing malicious code to capture private data.
Why does it matter in practice?
We may not notice the impact on cloud services or operating systems, but it seems that downtime has been scheduled for all the major clouds — AWS, Azure, G-Suite, for example — to install the necessary updates. Most large clouds are powered by Intel chips. While this is likely to cause some slowdowns, they may not be noticeable to users. It’s not just clouds that are affected: It seems that any and all devices are exposed to these attacks, potentially at least — yes, including Apple devices. The OS providers are patching the flaws.
Why does it matter in theory?
It’s a reminder that the infrastructure we all now rely on, for everything from marketing and advertising to writing blog posts, is not invincible. If it’s online, it’s vulnerable — that’s always been a motto to remember. But flaws at this very basic level of computational processing are bound to be alarming. What we don’t currently know is whether the attacks have actually been used by malicious actors: The attacks were discovered (and presumably named) by researchers at Google and several academic institutions. Detailed reports from the researchers who discovered the vulnerabilities can be found here.
To cut to the chase: Are you (or were you) affected? Yes. Can you tell if any data was taken? Probably not. In a statement, Intel said it “believes its products are the most secure in the world.” But “most secure” doesn’t seem to mean very secure at all.