On 3 Jan 2018, Google’s Project Zero team published information regarding two critical vulnerabilities named Meltdown and Spectre which affect virtually all modern Central Processing Units (CPUs). Cloud service providers like Microsoft Azure and Amazon Web Services (AWS) may also be impacted by these vulnerabilities.
Meltdown (CVE-2017-5754): This vulnerability breaks the most fundamental isolation between user applications and the operating system. It allows a program to access the memory address space of other programs and the operating system. Desktop, Laptop, and Cloud computers may be affected by Meltdown. Every Intel processor since 1995 (except Intel Itanium and Intel Atom before 2013) may be affected. Researchers have currently verified Meltdown only on Intel processors.
Spectre (CVE-2017-5753 and CVE-2017-5715): With Spectre, an attacker can trick error-free programs, which follow best practices, into leaking their secrets. Spectre impacts almost every system: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. Researchers have verified Spectre on Intel, AMD, and ARM processors.
The difference between the two is, Spectre allows other applications to access arbitrary locations in their memory address space while Meltdown bypasses the mechanism used to keep applications from accessing arbitrary system memory. Both use side channels to obtain the information from the accessed memory location. Both are local vulnerabilities and cannot be exploited remotely at this time.
Though no actual exploitation is known to have taken place in the wild, there is functioning proof of concept exploit code available. Intel, Amazon, Google, Apple, and Microsoft are currently issuing fixes for Meltdown, but the patches will not completely mitigate all of the risks. They are estimated to cause as much as a 30% degradation in performance for certain types of applications.
It’s harder to pull off a Spectre-based attack, which is why nobody is completely panicking. But the attack takes advantages of an integral part of how processors work, meaning it will take a new generation of hardware to stamp it out for good.
Partial OS fix for Meltdown
1. Verify you are running a supported antivirus (AV) application before installing OS or
firmware updates. Check with your antivirus software vendor for Operating System (OS)
2. Apply all available OS updates.
3. Apply the applicable firmware update provided by your device manufacturer.
4. Windows-based machines (physical or virtual) should install the Microsoft security
updates released on January 3, 2018. See The Microsoft Security Advisory ADV180002
for updates for the following versions of Windows.
Other than replacing the vulnerable CPU hardware at some point in the future (once non-vulnerable CPUs come to market), there are no known permanent mitigation measures for
Detection of Exploitation
There are currently no known mechanisms for direct detection of active or previous exploitation of the Meltdown or Spectre vulnerabilities.
Is anyone safe from Meltdown and Spectre CPU vulnerabilities?
No, not completely and not anytime in the near future…