Understanding Meltdown & Spectre

Spectre Logo

To be clear before we start: if you haven’t updated your computer(s) and mobile phones within the last 2 weeks, do it now.

On Wednesday, January 3rd, Google’s Project Zero publicy disclosed three extremely important exploits, allowing almost any computer to get hacked. And, when I say “almost any computer”, I mean whether you have Intel or any other processor, this concerns you. But it’s “okay”, no need to panic!

Named Spectre and Meltdown, these vulnerabilities allow the attacker to read kernel memory of any application that is running on the hacked computer. That being said, imagine you are typing your credit card information for shopping on Amazon and you have installed this cool weather widget tray bar; if the latter is malicious and contains the exploit, the attacker could read in realtime all your keyboard inputs uncluding your credit card number. Spectre even allows the attacker to do this between virtual machines on the same hypervisor.

It is important, for your own data and privacy, to update all your devices regurlary, and not only when such vulnerabilities are disclosed. Even if it’s your fridge, you should always remember it is a connected device, and probably vulnerable.

At Monaize, we updated all our servers for Meltdown as soon as the patch was released. Our hosting provider was on an immediate war footing and took the necessary steps from day 1.

However, the mitigation for Spectre seems to be even more complicated. It is related to the way CPUs are designed, so the only real fix is to change the chips… Many patches will come but for now it is uncertain how to mitigate it correctly.

At Monaize, we believe that everyone should be able to access and manage their data in a secure manner with peace of mind. This is why we encourage everyone, not only our own users, to update their devices and to continue to do so on a regular basis.

iOS, Android, Windows, OSX, Linux users, go patch now and spread the word !

• https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown
• https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
• https://support.apple.com/en-us/HT208394
• http://kroah.com/log/blog/2018/01/19/meltdown-status-2/

Sources

• https://meltdownattack.com/
• https://googleprojectzero.blogspot.fr/2018/01/reading-privileged-memory-with-side.html
• https://linuxfr.org/news/deux-failles-critiques-meltdown-et-spectre