Quick summary on Meltdown and Spectre critical vulnerabilities in modern processors
Summary
Variants of CPU data cache timing issues are known to affect many modern processors, including certain processors by Intel, AMD and ARM. The attacks, named Spectre and Meltdown, are reported 6++ months ago by a group of researchers and Google Project Zero which could be used to leak information out of mis-speculated execution, leading to arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Meltdown works on Intel processors.
Spectre tricks other applications into accessing arbitrary locations in their memory. Spectre works on most of modern microprocessors, including non-Intel processors (AMD and ARM processors). Spectre looks harder to exploit but no easy fix.
The Linux’s KPTI (aka KAISER) patch has been widely applied as a mitigation to the Meltdown attack and Spectre (partly). KAISER patch will affect performance for anything that does system calls or interrupts, slow down system performance from 5–30% depending on the task and the CPU models.
CVEs: CVE-2017–5754, CVE-2017–5753, CVE-2017–5715
Vendor Responses
Intel
AMD
ARM
Patches
- Linux Kernel https://lkml.org/lkml/2017/12/4/709
- RedHat https://access.redhat.com/security/vulnerabilities/speculativeexecution
- Microsoft (Windows)
Windows 10 users will be automatically updated with the patch today through Windows Update. And while the patch will be available from Microsoft for Windows 7 and 8 users today, they will have to wait until Patch Tuesday to receive it automatically via Windows Update.
https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 - Apple (MacOSX)
Looks like Apple has already fixed the flaw in macOS High Sierra. No official confirmation yet. - Google (Android, ChromeOS, ...) https://support.google.com/faqs/answer/7622138
