What are Meltdown and Spectre?
In the simplest terms, meltdown and spectre are bugs in modern computers which can leak passwords and sensitive data.
Security researchers working for Google’s Project Zero group have discovered a series of far-ranging security risks involving speculative execution. Speculative execution is one of the cornerstones of high-performance execution on modern CPUs, and is found in essentially all CPU designs more performant than an embedded microcontroller. As a result, essentially every last high-performance CPU on the market or that has been produced in the last couple of decades is vulnerable to one or more of a few different exploit scenarios.
The immediate concern is an exploit being called Meltdown, which primarily affects Intel’s CPUs, but also has been confirmed to affect some ARM CPU designs as well. With Meltdown it is possible for malicious code to abuse Intel and ARM’s speculative execution implementations to get the processor to leak information from other processes – particularly the all-knowing operating system kernel. As a result, Meltdown can be readily used to spy on other processes and sneak out information that should be restricted to the kernel, other programs, or other virtual machines.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
Immediate risk from these attacks is very low
The good news is that unless you’re a cloud service provider, the immediate risk from these attacks is very low. The bad news is that because these exploits are based on hardware vulnerabilities, they will take some time to fix. And there are a lot of devices running a lot of different OSes out there that need to be fixed.
These are local attacks: Both Meltdown and Spectre are local attacks that require executing malicious code on a target machine. This means that these attacks are not (directly) remote code execution attacks – think Nimda or Code Red – and those systems cannot be attacked merely by being connected to a network.
Meltdown and Spectre can be mitigated in software: Because the root issues at the heart of Meltdown and Spectre are at the hardware level, ideally, that hardware needs to be replaced. It can be mitigated in a combination of CPU microcode and operating system updates. Vendors like Microsoft, Apple, and the Linux are already in the process of rolling out some of these fixes, including an ultra-rare security update from Microsoft released Wednesday.
What Can Users Do Right Now?
What can system and device owners do about the Meltdown and Spectre attacks? The only thing that can be done right now to mitigate the problem would be to install the above software update and microcode patches that attempt to work-around the problem.
Bottom line, make sure you keep up with all the updates provided by your operating system provider (Microsoft, Apple & Linus).