We seem to have another computer threat to worry about. It seems all CPUs made on the last 20 years, including those unsold and in production are vulnerable to Specter and Meltdown hacks.
These hacks go right for the CPU and allow the hackers to mine memory for information. Worse these hacks are hard to detect.
All this has
received greater attention in the UK press than here. Mainly I think because UK manufacturer ARM makes Apple CPUs. It seems all ARM, Intel and AMD CPUs are vulnerable.
It seems hard to come up with a fix. Specter is the most serious and as yet there is no solution. Many experts are skeptical this back door can be closed with software patches.
Apple and Microsoft were supposed to issue patches Jan 4 for Meltdown, but did not. Rumor has it they were only partially effective. There is no patch on the horizon for the more serious Specter.
Now this is a very difficult vulnerability to exploit, discovered by Google. It was supposed to stay secret, but some idiot could not keep his mouth shut and released the info the Reddit. So the info had to be made public.
It seems the easiest route for hackers is adverts. So I strong ad blocker is recommended. I have used U-Block Origin on all our devices for some time, and would give it a strong recommendation to you all.
First of all, just to be precise, ARM does not make Apple CPUs. In fact, ARM doesn't design or make any CPUs at all. ARM is a provider of different kinds of CPU design "intellectual property", and other companies, like Apple, Broadcom, Qualcomm, and numerous others, use ARM's IP to design their CPUs. That's why they're technically called "ARM-based CPUs". MIPS is another example of this type of IP provider.
(As an aside, in modern parlance, a CPU is one or more CMOS dies that are fitted into a chip package, that equates to a single "socket" that plugs into a computer motherboard. Each "CPU" includes multiple "cores", where each core has certain hardware modules, lately called execution units, that process the instructions as defined by the software. There are numerous different types of execution units in each CPU design. Each core can have separately addressable register sets that allow the sharing of these execution units between multiple instruction streams, which can make each core look like multiple cores to the operating system. These logical instances of physical cores are called "hardware threads". Typically, CPUs have cores that support between one and eight hardware threads, so an 8-core CPU with dual threads per core looks like 16 actual "CPUs" to the operating system.)
So, Apple, for example, uses ARM IP to design their A-series CPUs, and I suspect Apple has the type of license from ARM that allows them to modify the processor logic. Of course, Apple doesn't make CPUs either, in a physical sense, nor does Broadcom or Qualcomm - these companies are called fabless semiconductor companies. They send their designs to fabricators like TSMC, Samsung, and Intel to manufacture the chips for them. So all ARM-based CPUs are different, though they have the same basic instruction set to adhere to the IP license agreement.
Obviously, Apple uses Intel CPUs for Macs.
So, how bad are these "flaws"? Well, anyone can do exhaustive internet searches to try to understand what Meltdown and Spectre are, but the information available looks pretty skimpy. CPUs are so fast compared to memory that CPU designers use tricks to keep the cores busy and keep them from waiting on memory accesses, which slows performance. (CPUs process multiple instructions per clock cycle, and their clock speeds are less than a nanosecond. DRAM DIMM access times are typically 50-90 nanoseconds, so we're talking differences of multiple orders of magnitude.) Two strategies used by CPUs, which are completely invisible to the operating systems, are speculative execution and CPU-local static RAM caches. Speculative execution "looks ahead" in the software path and does some level of instruction processing in advance. CPU-local caches operate at speeds that are reasonable multiples of the CPU clock speed, making the CPU wait much less for instructions and data. Unlike memory, which is managed by the operating system, caches are largely managed by the CPU hardware or microcode.
It looks like Spectre and Meltdown involve exploiting characteristics of these mechanisms, which due to their CPU-specific nature circumvent operating system security architectures, to allow malware to directly access or infer information owned by other applications on the same computer system. This would be extraordinarily sophisticated malware, on the order of Stuxnet. NSA-class development, not your typical malware hacker. The risk seems to be that lots of not-so-friendly countries have NSA-class capabilities, and potentially could use these so-called flaws to develop some very nefarious malware that could affect basic infrastructure, just guessing.
How much of a threat is it really to a home system? I have no idea, but on a general level the indicator I use for risk is how much money the industry is spending on avoidance, and they're spending a lot to mitigate these two vulnerabilities. I'm not sure what to do about it though other than apply OS or BIOS updates as they become available, which we should always do. No matter how well you design a lock or a barrier, someone will eventually figure how to break it or go around it. Malware designers have more time to think about ways to break things than product developers have time to analyze their designs. And the bad guys out-number the designers too.
