The past week has seen the entire tech world abuzz with talk of two new exploits which could be used to target every processor made in the last 20 years.
Dubbed Meltdown and Spectre, these exploits are so severe that every major technology company is scrambling to protect themselves and their customers.
These hardware bugs work by allowing programs to steal data which is currently processed on the computer. While programs usually are not permitted to read data from other programs, a malicious program could exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud.
Apple says that “The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device.”
Originally discovered by members of Google’s Project Zero, both Meltdown and Spectre could affect nearly every known computer, tablet and phone on the planet, regardless of operating system or manufacturer. Luckily for all of us, there has not yet been a case of either discovered in the wild (aka in the real world and not a controlled environment).
Am I affected by the bug?
Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.
Can my antivirus detect or block this attack?
While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.
What can be leaked?
If your system is affected, the exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.
Has Meltdown or Spectre been abused in the wild?
As yet, there are no reported cases.
Is there a workaround/fix?
There are patches against Meltdown for Linux, Windows and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre.
Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013).
Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion refer to the papers ( Meltdown and Spectre)
|Intel||Security Advisory / Newsroom / Whitepaper|
|Microsoft||Security Guidance / Information regarding anti-virus software / Azure Blog|
|Project Zero Blog / Need to know|
|Red Hat||Vulnerability Response|
|LLVM||Spectre (Variant #2) Patch|
|MITRE||CVE-2017-5715 / CVE-2017-5753 / CVE-2017-5754|
|Xen||Security Advisory (XSA-254) / FAQ|