Most malware programs like viruses and trojans exploit a vulnerability present in a program, often an operating system, but not necessarily. When such a vulnerability is found, it can in general be patched easily by modifying the program and updating the computer running it. When a piece of hardware is insecure and may become a potential target for malware attacks, things become more complicated. When a vulnerability is identified in the DNA of the processor itself, hell breaks loose.




This is exactly what happened last week when the Meltdown and Spectre “issues” were made public. These two issues concern processors made by Intel, AMD and ARM, and maybe products from other CPU manufacturers too, processors used in computers, laptops, smartphones, tablets, and smart watches to name a few. Malware capable of exploiting these vulnerabilities potentially threaten billions of devices.

Both the Meltdown and Spectre vulnerabilities are due to speculative execution, a technique where the CPU when encountering a decision tries to predict what the decision will be and starts executing the corresponding code in advance. The goal here is, of course, to speed up program execution. Researchers, however, have discovered that doing so may give user programs access to kernel memory and the possibility to modify it, and influence the applications behaviour or inject malicious code.

Although exploiting the two new vulnerabilities seems to be pretty difficult, software manufacturers have started a race to provide patches to protect their users against these issues. What most users fear now is a performance decrease due to these patches that have to fix things at such a low level.