Meltdown melts security boundaries enforced by hardware while Spectre breaks the isolation between different applications- giving hackers the ability to steal sensitive data. (Image credit: Pexels)
Researchers have discovered a pair of flaws in computer chips that could leave billions of mobile devices and computers vulnerable to security risks. Known as the Meltdown and Spectre, these exploits target critical vulnerabilities in nearly all modern processors, allowing hackers to steal data that is being processed on those devices.
According to Meltdownattack.com (an information site set up by researchers from several Universities, corporations and government entities), “While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
Just as it sounds, the Meltdown exploit does just that- it melts down the isolation barrier between user applications and the operating system, allowing someone to access to the application memory and any data stored there. Spectre, on the other hand, works to break the isolation between different applications. Out of the two, this is the worst one as it comes in two variants- CVE-2017-5753 and CVE-2017-5715, both of which allow an attacker to ‘trick’ error-free applications through ‘side-channel attacks’ designed to gain cryptographic keys and sensitive data.
The number of potentially affected processors is staggering- nearly every Intel CPU manufactured from 1995 on up has these vulnerabilities in their architecture, some ARM Cortex processors are susceptible, and AMD is only affected by Meltdown as their hardware architecture negates Spectre. RISK-V silicon is apparently immune to both, which is excellent news for the open-hardware community.
The good news- Meltdown can be averted or mitigated through a software patch, and most OS companies have scrambled to get theirs to the masses, including Microsoft, iOS, Android, Google, Debian, Red Hat and a host of others. The bad news- its thought only certain exploitations of Spectre can be mitigated and could potentially require new processor architecture, meaning we will have to upgrade at some point in the near future to combat the issue. It’s not currently known if anyone has suffered any attacks using these exploits, so better to be safe and update your software now if you already haven’t- a complete list of affected vendors can be found on the aforementioned Meltdownattack.com website.
Have a story tip? Message me at: cabe(at)element14(dot)com