Video: Spectre — Worst Vulnerability Ever?

Unbounded Systems co-founder Manish Vachharajani explains how the recent Spectre hardware vulnerability works, making the case that it’s one of the worst security vulnerabilities ever announced.

Early this year (2018), two major hardware vulnerabilities were announced — Spectre and Meltdown. Both these vulnerabilities rely on side effects from speculative processor execution to leak sensitive data that the attacker would normally not be able to see.

There have been numerous videos and articles giving a high-level explanation of Spectre and proclaiming it one of the worst hardware vulnerabilities. Spectre is particularly bad because it can be exploited remotely, via JavaScript, and can potentially access data that is in your browser’s memory — things like cookies and passwords.

What makes Spectre even worse is that despite mitigation strategies, there is no good fix, short of removing speculation altogether. Unfortunately, this is a non-starter because of the severe performance penalty from such a drastic move.

It appears that mitigation strategies in the browser and other programs that execute untrusted code can reduce the attack surface and mitigate the impact of this bug, but a true hardware-level fix that retains the performance of modern processors remains elusive at the time of this writing.

The only good news is that systems that don’t run untrusted code aren’t directly vulnerable, though it is always possible to leverage this (or any other) vulnerability in conjunction with others to attack affected systems.

In this video, Unbounded Systems co-founder Manish Vachharajani briefly explains how Spectre works, why it is such a terrible bug, and why a real fix isn’t immediately on the horizon.

Connect with Unbounded Systems on our blog, Twitter and YouTube to keep up with the latest dev tools and trends. And an occasional rant.

Originally published on the Unbounded Systems Blog.