In December of last year, two critical computer vulnerabilities considered to be “very severe” by security analysts, were discovered in almost every computing device from the last twenty years. This includes desktop and laptop computers, servers, and smartphones. These vulnerabilities can serve as a big threat to most, if not all people who use a computer or smartphone to store their sensitive data such as bank accounts, passwords and personal identification.

Spectre and Meltdown are two security flaws found in all modern Intel chipsets and in some ARM based chips. Since Intel is the leading manufacturer of computer chips for the last twenty years, most computers and smartphones contain the vulnerability in their operating systems. These bugs are dangerous because they have the potential to gain access to unprivileged, sensitive user information.

    Even before its astonishing announce, companies like Apple and Microsoft, who use Intel based chipsets, were forced to update their software to fix the vulnerability. Patches, or updates specialized in fixing bugs, started rolling out just as the vulnerabilities became public, although some “communities” like Linux, which isn’t controlled by one executor, took days and even weeks to roll out patches.

    These two flaws were found by Google Project Zero, a subdivision of Google, tasked with finding “zero day exploits”. An exploit is a written string of code that is used to attack hardware or software to gain unprivileged access to a computer. A “zero day exploit” refers to an exploit that has been written to attack a previously unknown vulnerability. Google Project Zero aims to find critical bugs in computers, and make them known so manufacturers can fix them.

    Spectre and Meltdown work in relatively the same manner with small differences. They both allow access to a computer’s kernel. The kernel is the base level of the operating system. It communicates between the physical hardware and the operating system, so most if not all information being processed passes through it. When information is passed through the kernel, it is “checked” to make sure it has privileges to have access to a computer’s hardware or software. Spectre and Meltdown are able bypass kernel “checks” in certain areas to gain read access to computer memory. Computer memory is much like a hard drive, except it only stores data temporarily, that the computer is using frequently, like a program or a text document. If the attack is successful, an unprivileged user can steal information from the memory which may leak private and sensitive user data. Although Spectre and Meltdown are severe bugs, they do have their problems. Meltdown can only attacked if the attacker has physical access to the computer or device, an exploit attacking Spectre can breach a device through javascript runtime environments, which means one visit to an untrusted website could allow an attacker to gain access to a computer.

    Although most manufacturers have rolled out patches for these bugs, consumers are not always keen on immediately updating their computer or smartphone. To ensure protection from Spectre and Meltdown, users must stay on the most updated version on their devices. So check your devices and update immediately, stay safe out there!