Spectre and Meltdown are the collective names for three different vulnerabilities found in the processors powering a vast number of the computing devices we rely on, from desktop and notebook PCs through to smartphones and other gadgets. And while many people are aware that these vulnerabilities exist and that tech companies are doing their best to plug the leaky bits of code, many aren’t really clear on what the problems are.

Although there are two names out there, Spectre and Meltdown, we are actually dealing with three different vulnerabilities in computer processors.

CVE 2017-5715 & CVE 2017-5753 are described as “Systems with microprocessors utilizing speculative execution and direct (for 2017-5715 ) and indirect (for 2017-5753) branch prediction may allow unauthorised disclosure of information to an attacker with local user access via a side-channel analysis”. These two flaws that have been collectively branded as Spectre.

Meltdown, or CVE 2017-5754, is similar but allows an attacker to conduct side-channel analysis of the data cache.

You’ll notice that all three vulnerabilities talk about a process called speculative execution. This is where a processor carries out a task ahead of it potentially being needed. The Spectre and Meltdown vulnerabilities make it possible for someone to either manipulate the results of those different speculative operations (where the processor is guessing what to do next) or see the outcomes of the wrong decisions that are tossed away.

With Meltdown “the chip is fooled into loading secured data during a speculation window in such a way that it can later be viewed by an unauthorised attacker”.

So, some bad computer code is loaded into a system in such a way as it is executed by the processor and then accessed by the attacker who gets can see data that everyone thought was being run in a secure environment.

In the case of Spectre, it’s possible to get a CPU to run computer code from a branch it ordinarily would discard. And this has some potentially nasty consequences.