Now we’re finally getting more technical details about this CPU vulnerability. Google has revealed that they uncovered the issue last year and it involves two vulnerabilities named Meltdown and Spectre. So, let’s tell you more about them and answer some of the burning questions at the moment.
What are Meltdown and Spectre vulnerabilities?
Meltdown and Spectre flaws deal with one of the most fundamental principles of computer security which states that while running someone’s else’s code on an operating system, it must be contained with the help of tight permissions and restrictions.
Meltdown allows a program to access the memory and prohibited part of other applications and operating system. It does so by exploiting the side effects of the “out-of-order execution” on modern CPUs to read the kernel memory locations; the program can also access passwords and personal data.
For those who don’t know, out-of-order execution is a high-performance paradigm that’s used by CPUs to improve efficiency. With this, modern CPUs look ahead and schedule the subsequent operations to idle units of a processor.
Both Meltdown and Spectre attacks are based on the same general principle. Spectre focuses on stealing data from the memory of other programs running on the computer and breaks the isolation between different apps. Using this attack, a notorious player can trick safe programs into leaking secrets.
While vulnerability CVE-2017-5754 has been assigned to Meltdown, CVE-2017-5753 and CVE-2017-5715 have been designated to Spectre.
Which devices/CPUs are affected?
As per Google’s findings, Meltdown attack only works against Intel CPUs. While the researchers haven’t been able to perform kernel memory-based speculation on AMD and ARM CPUs, they haven’t ruled out the chances. ARM has said that some of its designs could be affected.
Due to this, desktop, laptop, and cloud computer owners should be worried. The researchers have tested Meltdown on Intel CPUs released as early as 2011. Theoretically, every Intel CPU released since 1995 is a target.
On the other hand, Spectre flaw has been verified for Intel, AMD, and ARM CPUs. As a result, smartphones are also impacted.
That’s not all. The cloud providers that use Intel CPUs, Xen PV as virtualization, and providers with no real hardware virtualization are affected. This includes Docker, LXC, and OpenVZ as well.
What about the fix?
It goes without saying that all the impacted parties are working to release patches as soon as possible. In upcoming days/weeks, we’ll see a series of updates that would be released to take care of this issue. Microsoft, ARM, Linux, and others have already pushed patches and are working further for more updates.
It’s important to follow these developments as the issue has been labeled “not easy to fix.” So, there could be broken updates, performance decline, and other issues. However, for high-priority security reasons, you’re required to apply the available patches at the earliest.
Find the detailed information on these massive flaws and individual draft papers on this page.