Overview
A design flaw recently discovered in Intel microprocessors
has Linux and Microsoft Windows developers reworking their kernels to defend
against exploitation of the security bug. Its been speculated that the OS
updates ultimately could slow performance of the systems, in some
cases by 5 to 30%. Newer Intel processors aren't as susceptible to a
performance impact.
With respect to the above flaw security Researchers from
Google’s project zero and other universities discovered critical flaws in a
method used by most modern processors for performance optimization that could allow
an attacker to read sensitive system memory, which could contain passwords,
encryption keys, and emails, for example. The vulnerabilities affect
CPUs (processor) from Intel, AMD, and ARM released since 1995. Its been
also noted that tests on virtual machines used in cloud computing
environments extracted data from other customers using the same server.
Technical Attack Summary
The actual flaws reside in a technique called "speculative
execution" that is employed by all modern CPUs. This is a basic
optimization technique that processors employ to carry out computations for
data they "speculate" may be useful in the future. A way to use
speculative execution was discovered to read data from the CPU's memory
that should have not been available for user-level apps. Three flaws were
discovered that were combined in two attacks, named Meltdown (CVE-2017-5753
and CVE-2017-5715) and Spectre (CVE-2017-5754)
Meltdown: It breaks the most fundamental isolation between
user applications and the operating system. This attack allows a program to
access the memory, and thus also the secrets, of other programs and the
operating system.
Spectre: It breaks the isolation between different
applications. It allows an attacker to trick error-free programs, which follow
best practices, into leaking their secrets. In fact, the safety checks of said
best practices actually increase the attack surface and may make applications
more susceptible to Spectre.
The Affect Overview
All major chipset vendors (Intel, AMD, ARM), all
major operating systems (Windows, Linux, macOS, Android, ChromeOS), cloud
providers (Amazon, Google, Microsoft), and application makers. These
issues as hardware bugs that will need both firmware patches from CPU
vendors and software fixes from both OS and application vendors.
Affected by Meltdown:
- Every Intel processor which implements
out-of-order execution is potentially affected, which is effectively every
processor since 1995 (except Intel Itanium and Intel Atom before
2013) is affected by Meltdown.
Affected by Spectre:
- Spectre affects Intel, AMD, and ARM processors,
and the attack affects desktops, laptops, cloud servers, and smartphones
What Is Affected
- Servers
- Workstations
- Laptops
- Cell phones
- Tablets
- Smart TVs
- IoT devices
- Other devices with affected CPUs
Patches Coming Up
- Linux maintainers have already shipped versions of the
Linux kernel containing the said fixes
- Microsoft providing software and firmware updates to
mitigate the attacks, but only for Windows Insiders builds, with patches
for mainstream Windows branches expected next week( Patch Tuesday)
- Apple reportedly patched the issue in macOS 10.13.2
- Cloud providers such as Google, Amazon, and Microsoft
are set to patch issues this and next week.
- Intel will soon provide the software and firmware
updates to mitigate the attacks.
- ARM also released fixes for variant affected by spectre.
- Android patches are already released.
