Meltdown and Spectre: Bug in Intel chips that allows low-privilege processes to access memory in the computer’s kernel.
Back in 2007, Theo de Raadt a software engineer from Calgary, Alberta, Canada founder and leader of the OpenBSD and OpenSSH projects warned about bugs in Intel processors, “bugs that cannot be worked around by operating systems, and will be potentially exploitable” a big statement that basically says nasty bugs lurking in the shadows and that is simply cannot be easily patch, but apparently it didn’t get enough attention or didn’t gain enough traction for Intel to take actions at that time up until the recent disclosures. Thanks to the group of researchers who released the details of Meltdown and Spectre. It’s been a decade and here we are.
While programs are typically not permitted to read data from other programs, a malicious program/software can exploit Meltdown and Spectre vulnerability to get data stored in the memory of other running programs. This could include passwords, photos, emails, instant messages and even documents on a target device. Why you are most probably affected? Almost every system is affected by Spectre, from Desktops, Laptops, Cloud Servers, as well as Smartphones. All modern processors capable of keeping many instructions in flight are potentially vulnerable. Researchers have verified Spectre on Intel, AMD, and ARM processors that mostly used by one of your gadgets/devices.
The team of researchers at Google’s Project Zero, and universities including: Graz University of Technology, University of Pennsylvania, University of Adelaide in Australia, and security companies including: Cyberus and Rambus released the details of two attacks based on that flaw, which they call Meltdown and Spectre. CVE-2017-5753 “bounds check bypass” and CVE-2017-5715 “branch target injection” are the official references to Spectre and CVE-2017-5754 “rogue data cache load” is the official reference to Meltdown.
There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre ( LLVM patch, ARM speculation barrier header).
Here are some available patches and things you can do that helps defend against possible attacks:
Firefox Web Browser
Mozilla has released Firefox version 57.0.4 which includes mitigations for both Meltdown and Spectre timing attacks. So users are advised to update their installations as soon as possible.
Google Chrome Web Browser
Google has scheduled the patches for Meltdown and Spectre exploits on January 23 with the release of Chrome 64, which will include mitigations to protect your desktop and smartphone from web-based attacks.
In the meantime, users can enable an experimental feature called “Site Isolation” that can offer some protection against the web-based exploits but might also cause performance problems.
- Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
- Look for Strict Site Isolation, then click the box labelled Enable.
- Once done, hit Relaunch Now to relaunch your Chrome browser.
Windows OS (7/8/10) and Microsoft Edge/IE
Microsoft has already released an out-of-band security update (KB4056892) for Windows 10 to address the Meltdown issue and will be releasing patches for Windows 7 and Windows 8 on January 9th.
Apple macOS, iOS, tvOS, and Safari Browser
Apple also released a statement acknowledging that they’re also affected “all Mac systems and iOS devices are affected” with the exception of Apple Watch.
Apple has released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and is expectedto release mitigations in Safari to help defend against Spectre.
VMware and Citrix
A global leader in cloud computing and virtualisation, VMware, has also released a list of its products affected by the two attacks and security updates for its ESXi, Workstation and Fusion products to patch against Meltdown attacks.
On the other hand, another popular cloud computing and virtualisation vendor Citrix did not release any security patches to address the issue. Instead, the company guided its customers and recommended them to check for any update on relevant third-party software.
If you want some more technical information about Meltdown and Spectre see the following: academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.
References: marc.info, meltdownattack.com, thehackernews.com