Just in Time Bulletin: Meltdown and Spectre

What are Meltdown and Spectre?

Three critical vulnerabilities were recently identified by independent teams of security researchers. The three vulnerabilities, collectively dubbed Meltdown and Spectre, impact all Intel CPUs built in the last 15 or so years – which is quite a significant number of devices. These two vulnerabilities enable a malicious user land application to read the protected kernel memory of other processes (Meltdown) and applications (Spectre). This could include things like passwords, personal documents, and credit card data.

Who is affected by this?

Almost everyone. Meltdown exclusively impacts Intel processors. So, if you have an Intel CPU you’re impacted. Spectre on the other hand impacts Intel, AMD, and ARM processors. Combined, the list of vulnerable devices includes PCs, Macs, Android and iOS devices, baby monitors, your microwave (probably) – all of which run a vulnerable CPU.

How are they exploited?

Exploitation occurs through the execution of malicious untrusted applications. Proof of concept JavaScript code has been released for Linux. This means that all a victim has to do is visit the wrong website. Spectre is a more difficult vulnerability to exploit, and to this point no proof of concept code has been seen in the wild.

What do they do?

The vulnerabilities enable an attacker to defeat the barriers between the memory space of user-land (normal) processes and kernel process. This effectively enables a malicious application to read portions of kernel memory, which often contains data prior to being encrypted, processed, and sent to a socket.

How do I protect myself?

Update your software! Microsoft, Apple, Google, and other vendors have released patches to mitigate the risk Meltdown. If an update is available for your platform, install it. Intel has also announced that 90% of the CPUs released within the last 5 years will have a patch available by next week, which should mitigate the impact of Spectre.

Outside of software updates, use sound fundamental security principles when accessing the Internet. Avoid downloading an executing files from untrusted sources, and avoid visiting unknown sites.

Additional Resources: