Meltdown and Spectre Chip Flaws Affect Billions of Devices
Here again Google Project team have hit back the backbone of the technology. Researcher from Google Project team have disclosed the vulnerabilities potentially impact all major CPUs, including those from AMD, ARM, and Intel threatening almost all PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system.
The disclosed vulnerabilities have been categorized in Two attacks- Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could allow attackers to steal sensitive data which is currently processed on the computer.
Both vulnerabilities, exploit the one of the features of chips know as "Speculative Execution", a technique that was used in almost every modern CPU to optimize the performance.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
Spectre is another critical bug which have been disclosed. Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
In comparison to Meltdown, Spectre is harder to exploit and is also harder to mitigate. Download Paper for more information (pdf).
As I have said its worst because this vulnerability impacts almost every system including desktops, laptops, cloud servers, as well as smartphones.
What You can do Now?
Many vendors have security patches available for one or both of these attacks.
- Windows — Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018.
- MacOS — Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
- Linux — Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
- Android — Google has released security patches for Pixel/Nexus users as part of the Android January security patch update. Other users have to wait for their device manufacturers to release a compatible security update.