While most of the world has been caught up in how much they love/hate Star Wars and how bad the new Presidential Challenge Coin is (it is just the worst) a new threat has been discovered that will affect nearly every piece of technology you own.  A massive design flaw has been found in the blueprints of the majority of modern CPU’s that power everything from cloud services to your cell phone.  What’s worse is there is no way to fix it that doesn’t make things worse for consumers.

Introducing Meltdown and Specter!

Sit down and strap in. This is going to suck.

What is Kernel Memory and why does it matter so much?

Imagine an old phone switchboard like the one pictured above. One person asks to be connected to another and the operator connects the two manually.  Over time, this process became automatic and the operator no longer had to be interacted with at all.  In modern times, the operator is a completely computerized system that we don’t even consider to be part of the call.  But it’s still there; connecting you to whatever destination you want to call.  This operator connects you and every other phone user out there to the desired destinations, without anyone being aware of the other calls.

This is what a kernel does in a computer.

When a computer program (or system process) needs information from the disk or input from a device, they call upon the kernel to connect them to it.  The kernel’s job is to connect all of these systems while keeping them separate enough that they don’t start to crosstalk or tie up resources meant for others.  In much older computers, this was handled by a physical address and interrupt request system and it worked for the time.  However as computers got faster and more and more processes needed access to hardware, the old IRQ system just couldn’t keep up.  This is when it became the kernel’s job to manage these resources behind the scenes.

Remember that operator in the picture above? Now imagine BEING that operator and able to listen in on everything going on in the computer.

Where things got really bad.

In an effort to make their CPU’s faster and faster, manufacturers had to make information more readily available to the kernel.  To do this, they started to heap on larger and larger memory caches for the kernel to use.  Within that memory space, everything is readily available and the kernel can just grab information at will.

That cryptocurrency chain you just did? It’s in there.

That password you just entered? It’s there too!

The entire map of everything on your hard drive? Yup, probably there!

When that was only able to get them so far, Intel developed a branch-prediction engine that allowed the CPU to anticipate what information it was going to need before you actually called upon it, and pre-load it into the kernel memory.  AMD and ARM used different methods to accelerate the kernel memory, but the end result was the same; there was suddenly a massive amount of sensitive information just floating around in an unprotected area of the CPU.  Unprotected, but invisible to all user and system applications.

Until now.

Enter the malware.

In November it was revealed that a method had been developed to access this invisible section of memory and extract its information.  What was worse was that it could be done with nothing more than cleverly coded JavaScript.  To prove it wasn’t all just hysteria, security researchers then built a proof of concept that was successfully able to do just that from just visiting a webpage.

To reiterate: JUST VISITING A WEBSITE THAT LOADS THIS JAVASCRIPT CAN COMPLETELY COMPROMISE YOUR COMPUTER.

The methods are code named Meltdown and Specter.  Meltdown only applies to Intel CPU’s, while Specter applies to some Intel, most AMD, and some ARM CPU’s.  (Note: AMD says that there is virtually zero chance that this applies to them, however it has already been proven to effectively exploit AMD processors.)

How to move past this.

Here’s the real problem with this sort of vulnerability: It’s the fundamental design of the hardware that’s vulnerable.  This means there is no patch that will suddenly fix how the hardware runs and they can’t push code that will simply disable part of a CPU.  Instead, the operating systems that use the hardware have to change how they request information from the kernel memory.  This, unfortunately, comes the cost of performance.

You may have already noticed your computer or smartphone acting a little sluggish lately.  If you received a major update in the last couple months, that was likely what was pushed to you. All Apple macOS machines have been secured against this since version 10.13.2 and Windows Insiders have recently been pushed the update as well.  General Windows users should be getting patched this coming ‘Patch Tuesday’ and Android users should be ok with the latest security update.  There is currently no word on iOS users.  As this will also effect servers the world over, you can probably expect your favorite websites (like ours) and cloud services to also take a performance hit.  Current estimates are looking at a 17-23% performance hit.

If you use Firefox or Chrome, it is HIGHLY recommended you enable site isolation immediately.  You can find instructions here (firefox:chrome)

Or, if you’re the really paranoid type, you could just destroy your CPU and wait to buy a new one without this problem.