Nearly all modern Intel, AMD, and ARM processors (CPU) feature a security flaw that allows for two exploits to access what should be secure data. These exploits have been named ‘Meltdown’ and ‘Spectre’.
Both CPU exploits can access data on desktops, laptops, and cloud computers. One of the two, Spectre, can also access smartphones. As for which cloud servers are affected, Docker, LXC, or OpenVZ have been listed.
A research group broke down the two exploits:
“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
To put it simply, Meltdown and Spectre are two different vulnerabilities:
- Meltdown: The easier and more serious vulnerability. The ‘Meltdown’ exploit breaks down CPU-level protections and allows a program to access memory that it otherwise would not have access to.
- “Every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013).” Whether or not this affects AMD and ARM processors has not made clear.
- The patch for ‘Meltdown’ incurs the performance penalties.
- Spectre: Like Meltdown, Spectre allows for the leaking of memory. Spectre breaks down the walls between applications and allows an attack to trick error-free programs into leaking secrets. Safety checks might make applications more susceptible to Spectre. This exploit is harder to achieve, but also harder to exploit.
- Intel, AMD, and ARM processors are affected (basically almost every system).
- The patches here have less of a performance effect.
Intel has replied to claims that its CPUs feature a security flaw. stating that they are working on a fix and are not the only ones affected. Intel has begun providing software and firmware updates to mitigate the exploits. AMD claims that their processors have a near “zero risk” of exploitation, except one variant of the exploits, which can be resolved with an update. ARM, on the other hand, has supplied a list of which processors are affected and how they are exploitable, as well as workarounds.
Google has detailed the steps it will be taking to limit the possibility of exploits in their products. Microsoft pushed out a security update for Windows and will be rebooting affected Azure machines. Amazon has released their own update and is in the process of protecting their cloud.