Tuesday , December 11 2018 Ausdroid » Hardware » Google issuing patches to fix new Meltdown and Spectre exploits in Intel, ARM and AMD processors

Security researchers have discovered and disclosed two new exploits that can be executed against modern processors dubbed “Meltdown” and “Spectre”. The range of potentially affected processors is vast:

“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

Meltdown and Spectre exploits are very distinct attacks, with both exploits allowing attackers to break isolation between applications to access information. However the biggest point of difference is the specific processors affected by each attack.

For example, Meltdown has only been assessed to impact Intel processors, though the range of potentially affected processors is vast:

“More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.”

Spectre, on the other hand, appears sadly and worryingly to have a much wider reach. According to the researchers, nearly every type of device has been exploited by Spectre; it has been verified to work across Intel, AMD and ARM processors.

According to the researchers, Spectre is technically a bit more harder to exploit than Meltdown, though the researchers have cautioned that it is also harder to guard against. The exploit attacks also work against cloud servers, which could leave customer data vulnerable.

The good news is that at least some fixes are in the wild or on the way. For Google and its part, it has an FAQ listing the status of its products and how they’re affected:

  • Google stated that it has patched the vulnerabilities in the January security patch for Android devices.
  • Chromebooks running Chrome OS version 63 or later (which started rolling out December 15, 2017) are patched.
  • Version 64 of the Chrome browser, due to release this month, “will contain mitigations to protect against exploitation.”
  • Google Home, Chromecast, Google Wifi and Google OnHub are all listed as “no additional user action needed.”
  • G Suite (Google Apps) has been fixed on the back end and requires no user interaction.

Google has stated that it is “unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.”

Currently, there are patches against Meltdown for Linux, Windows, and macOS. With Spectre, it isn’t an easy fix, with the researchers stating that there is ongoing work to “harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre.”

If you would like to know more about the Spectre and Meltdown exploits and the researchers’ report, you can read it here.

Alex Dennis   Journalist

By day, Alex works within the Industrial Relations field/occupation but by night and in his spare down time he searches the net for anything and everything relating to Android and Chrome related products and news.

Other various interests Alex has include, Accessible transport for people with disabilities along with LGBTIQ and Health related fields and interests for again for people with disabilities.

1
Join the Ausdroid Conversation

avatar
1 Comment threads
0 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Tom Sekulic Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Tom Sekulic
Ausdroid Reader

It’s been widely reported (Tom’s Hardware e.g) that benchmarked performance (I/O) has dropped by up to 30% on patched machines (tested on Intel CPU’s).
Can someone with Google security patch applied on their device do a benchmark? We could then compare it with previous benchmark results pre-January fix.
Considering that I own a Samsung S8+ (XSA non Telco Branded), it will be a while before security fixes come out.

Check Also

New Telegram update brings custom languages and more to v5.0

There are a vast number of messaging apps available to the user but our favourite …