The hardware bugs have been dubbed Meltdown and Spectre. Meltdown is named for the metaphorical melting of security boundaries that are taken as a given because they are enforced by hardware itself. Spectre is named based on the root cause of the bug; speculative execution.
Both are very serious and are almost certain to affect you. Meltdown (CVE-2017-5754) breaks the isolation between user applications and the operating system. Applications that exploit the hardware bug can access the OS / System memory and the memory of other applications. In essence, this means a malicious (though seemingly benign) application can steal sensitive data from memory. Applied to cloud services, this brings up the possibility of sensitive information being stolen from other customers, though cloud providers have already addressed the issue for the most part.
Spectre (CVE-2017-5753 and CVE-2017-5715) breaks the expected isolation between different applications. If exploited, it allows a malicious application to trick error-free programs into leaking sensitive information. What makes it even worse is that the discoverers of Spectre say the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Here is a video of Meltdown in Action:
What do I do to prevent exploitation?
Mitigation efforts are currently underway. There are software patches against Meltdown already available for Windows, Linux and OS X and being pushed through the usual update channels. Meltdown affects Desktop, Laptop, and Cloud computers. Specifically, it affects every Intel processor which implements out-of-order execution, which is almost every processor since 1995 aside from Intel Itanium and Intel Atom before 2013. AMD's assessment so far indicates that there is a near-zero risk to AMD processors as of now, but it will continue its assessments as more information becomes available.
Spectre is more difficult to exploit but also more difficult to mitigate. It affects almost every system; Desktops, Laptops, Cloud Servers, Smartphones, Tablets etc. This is due to the fact that Spectre has been demonstrated to affect Intel, AMD and ARM hardware. Google's researchers so far has found execution difficult and limited on the majority of Android devices, but has added additional protection in the latest Android security updates. Addressing Spectre is much more difficult because it requires the hardening of software applications too.
Even web browsers pose an opportunity for exploitation of Spectre. Microsoft is already pushing an update for Internet Explorer, while Google promises that the release of Chrome 64 this month will include protective updates. Until then, you can turn on Site Isolation in Chrome to prevent potential attacks. Mozilla will include measures against exploitation in version 57 of Firefox.
To reduce the risk from Meltdown and Spectre you really have to return to best security practices. Keep your operating system up to date, along with your applications (particularly web browsers). Use common sense about what webpages you access online just as you would already to avoid malware exposure. Keep an eye on the news because more protective measures will emerge and the bugs may also be exploited in the wild. Currently, it is unknown whether Meltdown or Spectre have been exploited in this way.
Further Reading:
Meltdown and Spectre: meltdownattack.com
Written by: James Delahunty @ 4 Jan 2018 3:46
