Meltdown and Spectre

It sounds like an IT apocalypse: Meltdown and Spectre. What is happening? Let’s try to see it clear. These vulnerabilities seem to be the a huge matter. It concerns each personal computer and device made in the last ten years. The weak spot is not about a software this time but seems to affect a hardware component: processor. Intel and AMD chips, as well as microprocessors based on ARM architecture and built by Qualcomm and Samsung, are exposed. But, what are they exposed to? To two vulnerabilities that make each machine attackable. Each password and sensitive data stored on billion PCs, smartphones and tablets is now hackable by cyber-criminals. But it’s even worse, there is no solution yet!

Start your Free Trial! in collaboration with

CISCO

Meltdown and Spectre: who found them?

Meltdown and Spectre has been found by Jann Horn (a researcher of the roject Google Project Zero). This study highlighted how an external user that has the access to the CPU of a device, can steal sensitive data and passwords through a “speculative execution”. It is a specific action that optimizes processors’ performances. It is not over yet! Through these vulnerabilities, it’s possible to access the physical memory of the machines. Which are the computers in danger? What seemed to be an Intel-processor-only machines case, is now a global matter. Meltdown and Spectre now affect in a trasversal way all operative systems. Every CPU made by Intel from 1995 to today (with the only exceptions of Intel Itanium and Intel Atom before 2013) is affected by Meltdown. While Spectre, which is a major concern for producers, affects all the processors made by Intel, ARM and AMD.

How can it be solved?

To solve this problem will be necessary a combination of efforts and changing both for the software and the hardware. We are talking about a huge productive effort that will comprehend all the IT industry. Meltdown might be limited with a software update (Microsoft already issued a patch for Windows systems), while Spectre has no solutions yet.

As far as Android is concerned, Google said that the problem affects its operative system too, but added that this is a weak spot that’s hard to exploit. Mountain view said that it’s already working for the release of an update. Apple, instead, has not spoken yet (even if someone is already talking about a new macOS version)

Intel, through a communication, minimized the risks for users: “the vulnerability does not have the potential to corrupt, modify or delete data”. But Brian Krzanich, the CEO, last November sold Intel stock for 24 million dollars. He was well aware of the weak spot, but Intel denies correlations.

Start your Free Trial! in collaboration with

CISCO

Swascan for protection

In order to assure to your business the best tool available, Swascan developed a special cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our four services cover all the governance needs in terms of risk management and periodic assessment. Basically, if you need to understand the areas in which your efforts must focus, GDPR Self-Assessment, Vulnerability Assessment, Network Scan and Code Review are the right tools for you. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ).