New CPU Vulnerabilities – Spectre & Meltdown

Spectre & Meltdown are two newly discovered vulnerabilities found affecting Intel/AMD/ARM (Spectre) and Intel (Meltdown) chips. While these vulnerabilities would be very complicated to exploit it would be possible, most likely by large groups or nation-state actors. Also, the impact of potential attacks is pretty severe. Attackers could gain the ability to access data stored in memory including documents, pictures, passwords, etc. The scale of these vulnerabilities is also quite extensive and really the most terrifying part of this story. The vulnerabilities affect everything from servers to smartphones. Potentially millions of devices.

Microsoft, Apple, Linux, and Google say they have already pushed patches to protect users from these vulnerabilities. The patches have to be done at the OS level.

The patches for Intel processors will supposedly affect the performance of the chips. The research that I have done has said that it could affect performance anywhere between 5% – 30%.

Something interesting to note is that Intel has known about these vulnerabilities since around June, 2017. Late last year their CEO sold off all the shares that he could, down to 250,000, to still remain CEO.

Sources:
https://www.reddit.com/r/sysadmin/comments/7o39et/meltdown_spectre_megathread/
https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html
http://mashable.com/2018/01/03/microsoft-patch-processor-vulnerability/#Wj.3GVZFUqqq
https://www.cnbc.com/2018/01/04/intel-ceo-reportedly-sold-shares-after-the-company-already-knew-about-massive-security-flaws.html

Edit 1-15-18:
Here is a link to PDF detailing Spectre/Meltdown attacks and research: Click Here.
If I am understanding this right it seems that there is no way to patch the spectre vulnerability without buying new hardware.

Edit 1-23-18:
Found a great breakdown on the subject on ThreatWire (Hak5) that goes over all the potential attacks and new updates to mitigate them.
https://youtu.be/sNgiYM8e5iE

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.