Meltdown and Spectre CPU Flaws

Jan - 04 2018 | By

Two flaws have been found in the design of processors since 1995 – today.

Meltdown – Intel architecture

The Meltdown flaw allows a program that may exist to run on the computer and access any information that is in the computers memory.  That could mean that information like passwords, parts of files could be accessed without the Operating System being aware of this “illegal” action.

The Meltdown flaw affects Windows, macOS, Linux and any operating system that is running on x86 or x64 Intel architecture PCs.  The flaw does not affect except Intel Itanium and Intel Atom before 2013.  So far vendors of each operating system have been working to provide patches to protect from this issue.  Meltdown does not seem to affect AMD x86 and x64 processors.

Servers with multi-user environments (remote desktop, ssh, x-windows) are at a larger risk because information between users can be accessed from memory.  Servers running virtualization like Xen PV, Docker, LXC and OpenVZ are also at a much higher risk since they have a single kernel environment that covers all memory in the server.  It appears VMware may be safe from Meltdown.

Spectre – All Processors

The Spectre flaw is much larger problem it affects Intel, AMD and ARM processors so this affects nearly all computers, smartphones, tablets, servers, desktop and laptop computers.

The Spectre flaw allows a program written to attack this flaw to trick an error-free program designed to follow best security practices into leaking the information that is has in memory.  The scary issue is that if the program had implemented the best security practices it is more susceptible to the Spectre flaw.

Servers with multi-user environments (remote desktop, ssh, x-windows) are at a larger risk because information between users can be accessed from memory.  Servers running any form of virtualization are also at a much higher risk.  This means big security issues for Cloud hosting providers.  There is little that is not affected by the Spectre flaw and its speculative execution flaw.

The Spectre flaw will be difficult to protect from due to it using features that are designed to improve the execution performance of the processor.

More Details

Each of these flaws are designed to read though all of the information that is in memory in the computer, when more than one person uses that computer you could technically see information from the other users with a properly written program designed to take advantage of the flaw. Login passwords should not be affected, Microsoft has made many changes over the years to protect that password, but passwords for other applications and websites can be held in memory for awhile and those could be obtained by these flaws.  There is nothing known today that is designed to attack either flaw.

The website where more details will be released after more security updates are released – https://meltdownattack.com

Cloud providers and Software vendors like Microsoft, Apple, Google, RedHat and other versions of Linux are working hard to release updates to protect from these 2 security flaws.

Fixed Software
Apple Mac and iOS – January 8, 2018 – Safari 11.0.2 and iOS 11.2.2
Google Android – January 1, 2018
Google Chrome –  January 23, 2018 on Chrome 64
Google Chrome OS – December 15, 2017 on kernel 3.18 and 4.4 for Chrome OS 63
Internet Explorer/Edge – January 4, 2018
Microsoft Windows – January 4, 2018
Mozilla Firefox – January 4, 2018
RedHat – January 4, 2018 and ongoing
Ubuntu – January 9, 2018

Fixes for Hardware
Dell and HP have pulled their Intel BIOS updates, while Intel works on fixes 1/24/2018 ZDNet
Asus
Dell Laptops/Desktops
Dell Servers
Intel
Lenovo