Story image

Intel processor vulnerabilities: What you need to know about Meltdown and Spectre

08 Jan 18

Microsoft, Linux, Google, and Apple have started rolling out patches addressing design flaws in processor chips that security researchers have named Meltdown and Spectre.

Here’s what you need to know about these flaws:

What are Meltdown and Spectre?

Meltdown, designated as CVE-2017-5754, can enable hackers to gain privileged access to parts of a computer’s memory used by an application/program and the operating system (OS).

Meltdown affects Intel processors.

Spectre, designated as CVE-2017-5753 and CVE-2017-5715, can allow attackers to steal information leaked in the kernel/cached files or data stored in the memory of running programs, such as credentials (passwords, login keys, etc.).

Spectre reportedly affects processors from Intel, Advanced Micro Devices (AMD), and Advanced RISC Machine (ARM).

Modern processors are designed to perform “speculative execution.”

This means it can “speculate” the functions that are expected to run, and by queuing these speculations in advance, they can process data more efficiently and execute applications/software faster.

It’s an industry technique used to optimise processor performance.

However, this technique permits access to normally isolated data, possibly allowing an attacker to send an exploit that can access the data.

What’s the impact?

Intel processors built since 1995 are reportedly affected by Meltdown, while Spectre affects devices running on Intel, AMD, and ARM processors.

Meltdown is related to the way privileges can be escalated, while Spectre entails access to sensitive data that may be stored on the application’s memory space.

The potential impact is far-reaching: Desktops, laptops, and smartphones running on vulnerable processors can be exposed to unauthorized access and information theft.

Cloud-computing, virtual environments, multiuser servers—also used in data centers and enterprise environments—running these processors are also impacted.

It’s also worth noting that the patches that have been released for Windows and Linux OSs can reportedly reduce system performance by five to 30%, depending on the workload.

Google’s Project Zero has proof-of-concept (PoCs) exploits that work against certain software.

Intel and Google reported they have not yet seen attacks actively exploiting these vulnerabilities so far.

Are they fixed?

Microsoft issued a security bulletin and advisory ahead of their monthly patch cycle to address these vulnerabilities in Windows 10.

Updates/fixes for Windows 7 and 8 will be deployed on the January Patch Tuesday on January 9.

Microsoft also issued recommendations and best practices for clients and servers.

Google has published mitigations on the infrastructure/products that may be affected (YouTube, Google Ads, Chrome, etc.).

They also released a Security Patch Level (SPL) for Android covering updates that can further limit attacks that may exploit Meltdown and Spectre.

A separate security update for Android will also be released on January 5.

Note that patching on Android is fragmented, so users need to notify their OEMs for their availability.

Nexus and Pixel devices can automatically download the update.

Apple’s macOS has been reportedly patched in version 10.13.2, while 64-bit ARM kernels were also updated.

VMWare also issued its own advisory.

Mozilla, whose team confirmed that browser-based attacks may be possible, addressed the vulnerabilities with Firefox 57.

Royole's FlexPai: So bendable phablets are a reality now
A US-based firm called Royole is delivering on that age-old problem of not being able to fold up your devices (who hasn't ever wished they could fold their phone up...)
Hands-on review: Having fun in Knowledge is Power: Decades and Chimparty
They don’t revolutionise social video gaming, but they are enjoyable enough to occupy you during a wet weekend. 
Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
Tile's Mate & Pro Bluetooth trackers land in NZ
If your car keys (or your tablet) have disappeared into the void at the back of the couch or if you left them somewhere in your car, retracing your steps to find them could be a thing of the past.
Government still stuck in the past? Not on GovTech's watch
What exactly is GovTech and what’s been happening in our capital city?
"Is this for real?" The reality of fraud against New Zealanders
Is this for real? More often than not these days it can be hard to tell, and it’s okay to be a bit suspicious, especially when it comes to fraud.
Hands-on review: The iPhone Xs
The iPhone Xs is a win that brought numerous new and exciting features to the market.
How much does your Amazon Prime Video subscription really get you?
For our NZ$8.90 per month, the average cost per title is US$0.00126 - but we only really get a choice of 416 TV shows and 4321 movies. Choice is a little bit limited compared to other countries.