Technology companies around the world have revealed details about a pair of processor vulnerabilities that affect all AMD, Intel, and ARM processors. Both Meltdown and Spectre represent critical flaws that could allow attackers to steal passwords and hijack system processes. Thankfully, patches are already being pushed out to resolve the issue.
Meltdown is arguably the bigger issue of the two vulnerabilities, but appears to be only limited to Intel’s x86 processors. While Spectre is the flaw that covers just about every company out there. That said, Spectre is somewhat more difficult to exploit; which may limit how much damage can be done.
The problem stems from the “speculative execution” of code, where the processor attempts to guess at what task will need to be done next. In the event that the guess is correct, it simply executes the code; but if it isn’t then the processor will have to reverse course and load the right task. For the most part, this results in a faster computer.
However, it turns out that this method allows attackers to read system memory that should have been kept separated from the rest of the data. This system memory just happens to be unsecured; which means that passwords and other critical information can be stolen.
Fixes for Meltdown are already being pushed out by Microsoft, Linux, and Apple. There was some speculation that the patch would separate system memory from the kernel, and therefore reduce performance. However, Intel is saying that this will not be the case.
Both flaws were originally discovered by Google’s Project Zero, which seeks out potential zero-day exploits and shares them with the relevant companies. Google had informed Intel and its partners of the issues back in June 2017, and all parties have been working to resolve the problem since then.
For its part, Google is saying that its products are already safe and secured. Provided that users have kept their devices updated. Which everyone really should be doing, no matter what platform they are on.
[Source: Reuters, Google Security Blog]
