Spectre and Meltdown – Critical Computer Vulnerabilities Affect Almost ALL Computers

Spectre and Meltdown

Spectre Image

Spectre Image – Click to Enlarge

Meltdown Image

Meltdown Image – Click to Enlarge

Posted Jan 24, 2018

Update Feb 01, 2018 – see text at the bottom of the article.

Update Mar 21, 2018 – minor update.  Updated version number for Steve Gibson’s Inspectre utility.  Make sure you get the most recent version.  This article will not necessarily be updated every time he updates his utility.

Spectre and Meltdown are two serious computer security vulnerabilities that affect pretty much every computer on the planet and every OS.  Security researcher Steve Gibson has released a very nice 123 KB utility that checks computers for the Spectre and Meltdown vulnerabilities.  It’s pretty cool.  You should check it out.

Here is some text from his website describing the vulnerabilities:

“In early 2018 the PC industry was rocked by the revelation that common processor design features, widely used to increase the performance of modern PCs, could be abused to create critical security vulnerabilities. The industry quickly responded, and is responding, to these Meltdown and Spectre threats by updating operating systems, motherboard BIOS’s and CPU firmware.”

Here are some links to additional info.  These pages have introductory info and FAQ’s.  These actually link to the same site.

https://meltdownattack.com/
https://spectreattack.com/

The first question in the FAQ is interesting and jarring:

“Am I affected by the vulnerability? – Most certainly, yes.”

Here is some text from their introduction:

“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

I’ve pasted a screen image from Steve Gibson’s testing utility below.  It works best on Windows but also works under Wine on Linux and Mac.  I don’t know if the OS related data is as accurate on those latter OS’s, particularly running under Wine, but the chip related data should be.  The text in the app describes info about the vulnerabilities and the state of your particular system and what it means as you scroll down in the results window.  The utility produces an instant result.

The program does not need to be installed.  Just download it into a folder or to the desktop and run it.  If you run it in admin mode on Windows, it allows you to turn Spectre and Meltdown protection on and off by tweaking some registry keys and rebooting.  Not sure how that works on Linux and Mac.  Turning protection off on older systems can improve performance but I would strongly recommend against it.  Note that, as I understand it, if the utility says you need a bios update to achieve protection from either or both of the vulnerabilities, then you will not get that protection until you update the bios, whether or not you press the “turn protection on” button or whether or not you’ve patched the OS.  OS patches are required for all computers as far as I know and many will require bios updates.

The following is an example only image and it does not represent an actual test result.

Example Image From Steve Gibson's InSpectre Program

Example Image From Steve Gibson’s InSpectre Program

You can get Steve Gibson’s InSpectre utility from the link below.  Don’t download from anywhere else.  As of the time of this writing, he’s on Release # 7.  Make sure the version you get is that or later.  Initially, some anti virus programs were complaining about it but this is definitely not a virus if you get it from the original source in the link below.  I think he’s fixed those AV false alarm problems.

Note the spelling of this link is “inspectre”, not “inspector”.

https://www.grc.com/inspectre.htm

You can also get to the page through the menus on his site by going to:

https://www.grc.com/

and selecting from the top menu: freeware – security – inspectre.

Here you can find the Security Now podcasts on this topic:

https://www.grc.com/securitynow.htm

https://media.grc.com/sn/sn-648.mp3

https://twit.tv/shows/security-now/episodes/648

https://media.grc.com/sn/sn-647.mp3

https://twit.tv/shows/security-now/episodes/647

https://media.grc.com/sn/sn-646.mp3

https://twit.tv/shows/security-now/episodes/646

https://media.grc.com/sn/sn-645.mp3

https://twit.tv/shows/security-now/episodes/645

Unfortunately, older PC’s may need and not get a bios update to fix the vulnerabilities.  It’s a real dilemma since replacing equipment is a big expense, especially for individuals.

It seems that we humans don’t know how to do secure computing as well as we thought.  Many people haven’t even mitigated KRACK yet.

(If you need to brush up on the almost universal KRACK WiFi vulnerability, see this: https://www.krackattacks.com/ .)

Update Feb 01, 2018 – added links to Steve Gibson’s latest podcasts covering this subject.  He’s now at version 6b for his utility.  Some bios patches are causing unwanted reboots.  If this happens, you can turn off protection until a newer bios is available.

Update Mar 21, 2018 – Steve Gibson’s Inspectre utility is now at Release # 7.

Hope this info is helpful.

Ron