Meltdown and Spectre function differently, and are said to make every device manufactured over the past 20 years vulnerable. These bugs allow programs to steal data which is currently processed on the computer.
A website has been created to describe Meltdown and Spectre in more detail, which includes valuable information about how we can defend against this dual threat.
According to The Verge, Intel chips have been the focus of initial research, although it remains unclear if other chips are susceptible. In a public statement, Intel said “many different vendors’ processors and operating systems... are susceptible to these exploits.” Adding fuel to the fire, it seems Intel’s CEO, Brian Krzanich sold off a large portion of Intel stocks last November, totalling around $24 million – around 80% of those he owned. Intel is said to have known about Meltdown and Spectre since about June 2017.
AMD has denied any of its processors are vulnerable to attack, although Google researchers say they’ve demonstrated a successful attack on AMD’s FX and PRO CPUs. The Cortex-A processors from ARM were also confirmed as vulnerable.
Google’s Project Zero released further details, showing the bug to affect both Android and ChromeOS devices, although Google claims that exploitation of the bug is “difficult and limited on the majority of Android devices.” The next version of Chrome coming later this month will be altered to mitigate attack, enabling the existing “site isolation” feature to provide some protection.
Microsoft has also released an emergency patch to all devices with Windows 10, planning to update further.
Apple has also (finally) confirmed that all Mac and iOS devices are affected, racing to patch operating systems and cloud computing infrastructure at the highest levels.
There is also a lot of talk about how the various patches will affect processor performance.
Meltdown is the easier of the two bugs for a hacker to take advantage of. It breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your processor is vulnerable, it is not safe to work with sensitive data without the chance of the data leaking. This applies to personal computers and cloud infrastructure. Luckily, there are software patches against Meltdown.
A Spectre At The Feast
From either side, Spectre is an altogether more tricky nut to crack. It breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, following best practices actually increases the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
What You Need To Do
The best course of action is to visit the Meltdown and Spectre website to find out which software patches or damage control you need to implement to stop these menaces before they start, reading the website thoroughly. Download the necessary software patches and implement them asap.