Security researchers have discovered and disclosed two new exploits that can be executed against modern processors dubbed “Meltdown” and “Spectre”. The range of potentially affected processors is vast:
“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
Meltdown and Spectre exploits are very distinct attacks, with both exploits allowing attackers to break isolation between applications to access information. However the biggest point of difference is the specific processors affected by each attack.
For example, Meltdown has only been assessed to impact Intel processors, though the range of potentially affected processors is vast:
“More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.”
Spectre, on the other hand, appears sadly and worryingly to have a much wider reach. According to the researchers, nearly every type of device has been exploited by Spectre; it has been verified to work across Intel, AMD and ARM processors.
According to the researchers, Spectre is technically a bit more harder to exploit than Meltdown, though the researchers have cautioned that it is also harder to guard against. The exploit attacks also work against cloud servers, which could leave customer data vulnerable.
The good news is that at least some fixes are in the wild or on the way. For Google and its part, it has an FAQ listing the status of its products and how they’re affected:
- Google stated that it has patched the vulnerabilities in the January security patch for Android devices.
- Chromebooks running Chrome OS version 63 or later (which started rolling out December 15, 2017) are patched.
- Version 64 of the Chrome browser, due to release this month, “will contain mitigations to protect against exploitation.”
- Google Home, Chromecast, Google Wifi and Google OnHub are all listed as “no additional user action needed.”
- G Suite (Google Apps) has been fixed on the back end and requires no user interaction.
Google has stated that it is “unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.”
Currently, there are patches against Meltdown for Linux, Windows, and macOS. With Spectre, it isn’t an easy fix, with the researchers stating that there is ongoing work to “harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre.”
If you would like to know more about the Spectre and Meltdown exploits and the researchers’ report, you can read it here.
It’s been widely reported (Tom’s Hardware e.g) that benchmarked performance (I/O) has dropped by up to 30% on patched machines (tested on Intel CPU’s).
Can someone with Google security patch applied on their device do a benchmark? We could then compare it with previous benchmark results pre-January fix.
Considering that I own a Samsung S8+ (XSA non Telco Branded), it will be a while before security fixes come out.