Computers are complex beasts.   Unfortunately, they’re getting so complex that even the experts are now having trouble understanding how they work and more importantly how they can be compromised.

You may have heard of Spectre and Meltdown in the news?  They both relate to similar vulnerabilities discovered in most processors manufactured in the last 20 years.

Firstly, some background though – what’s a processor?   The processor, or CPU is basically the brains of the computer.   It’s a chip so complex and advanced that modern processors can have the equivalent of over 7 billion transistors etched into them.    They’re made from extremely pure silicon – basically sand!  Sand so pure that only one in a billion atoms are impure.   The sand is melted and formed into wafers which are polished until they have flawless mirror smooth surfaces.    Highly focussed UV light is shone onto the surface of the wafer to etch out a pattern for the circuit.   It’s this etching that I want to emphasize – once it’s etched, it can’t be changed.   It’s for this reason that bugs found in processors can’t easily be fixed.  Instead, the only two solutions are to either replace the processor, or work around the problem.   And when a processor can cost nearly $2000, you don’t want to be replacing them!

Now were going to get technical!   Processors work by executing a series of tasks (known as a program).   The faster they can execute these tasks; the sooner they can compute the answer you’re looking for.   Programs are exceedingly complex with millions of tasks executed every second, so anything that can be done to speed this up is a benefit.   Modern processors use a technique called “Speculative Execution”.   This technique attempts to guess what’s going to be asked for before it’s needed.   By guessing what’s going to be needed, the processor can have the answer ready before it’s asked for it!    Speculative Execution was developed nearly two decades ago and resulted in between 5% and 30% speed improvements.   These days it’s used in most processors from different manufacturers in the same way.

The next important concept to understand is that a processor has different levels of security built into it.   This is to stop rogue programs from interfering with each other.   The Kernel is the most secure part of a processor and is where passwords and encryption keys are stored and processed.   It’s like a vault on the chip which is always secure and without the combination, there’s no way in.

That is until Meltdown and Spectre appeared.   Researchers found a way to use Speculative Execution for any program to access the Kernel.    Just visiting a simple web page could potentially give hackers access to your passwords (technically they won’t actually know it’s a password – it’s difficult to decipher the data that is stolen, but it’s possible nonetheless)!  What makes this even worse, is because the bug is in the processor, it can’t easily be fixed!   This really is a “worst case scenario”.   The bug has actually been known about since June 2017.   An embargo was put in place to stop those who knew about it from announcing it – giving developers time to try and patch the vulnerability before hackers could take advantage of it.   Unfortunately, news of the bug leaked in January 2018 and we’re now in the position where everyone is rushing to release patches (and causing problems in the process).   Because of the rush, the fixes aren’t being tested properly and have resulted in crashes.  Microsoft released a patch which, if installed on an older type of processor made by AMD caused the computer to no longer boot up.   I’ve personally had to fix this for one of my customers and it wasn’t straightforward!

And the fixes aren’t just causing crashes, they’re slowing computers down.   Because you can’t change the way the processor works, the simplest fix is to switch off Speculative Execution, which then results in a 5% to 30% slow down.    This is especially bad for companies with large datacenters such as Google, Amazon and Facebook.   These datacenters are designed to keep up with demands and meet capacity.  All of a sudden, they’re 30% over capacity and have to be patched to keep them secure!

Unfortunately there’s no nice ending to this story.   This won’t be the last bug to be found in processors, and hackers are always waiting to take advantage of the latest vulnerability.   It does however give you an insight into why it’s important to have the latest patches installed, and also into the continuous battle between security researchers and hackers!   Also remember that regularly changing your password and using different passwords for different sites will help to keep you protected against vulnerabilities such as this.

Until next time, stay updated – and keep safe!