Director – Product Marketing
Jan 8, 2018
Headline: Meltdown and Spectre – Bugs in modern computers leak passwords and sensitive data. Following their discovery this flaw in processor chips several months ago, researchers secretly contacted various impacted vendors to give them time to work on patches. They avoided broadcasting the information on social media, so as not to alert hackers to the vulnerability and the potential hacking opportunity.
What does this mean?
Due to a widespread computer chip flaw, almost all computers and mobile devices are vulnerable to the Meltdown and Spectre attacks. Anyone with a computer or device running Windows, OS X, Android, or others — virtually all software platforms — are equally vulnerable. Every Intel processor is potentially at risk, which is effectively every processor manufactured since 1995 (with the exception of Intel Itanium and Intel Atom before 2013). Testing confirmed chips going back to 2011 were vulnerable. As of this writing, experts have also verified Spectre impacted ARM and AMD processors, however their vulnerability to Meltdown is yet to be confirmed. Microsoft, Linux and OS X have released patches to address the issue of the chip flaw. One additional concern: Microsoft says a user’s antivirus software could actually stop them from receiving the required emergency patches issued for Windows. (Learn more here.)
Why are these attacks dangerous?
Both Meltdown and Spectre exploit critical vulnerabilities in modern processors and allow critical information stored deep inside computer systems to be exposed. Where programs are typically not permitted to read data from other programs, Meltdown breaks the mechanism that segregates and isolates user applications thereby allowing unauthorized access to arbitrary system memory. This puts the sensitive data, proprietary information, secrets of programs, including passwords, and the operating system at risk. Spectre also breaks the isolation between different applications by tricking error-free programs into disclosing information by exploiting established practice safety checks and other features. Both attacks use side channels to obtain the sensitive information from the accessed memory location. It is not safe to work with sensitive information on an unpatched operating system without the chance of leaking the information. This applies to personal computers, cloud infrastructure applications, mobile devices and more. A wider risk is that Meltdown could theoretically be applied across cloud platforms, against massive arrays of networked computers routinely sharing and transferring data among a wide range and number of users and instances.
Is there any good news?
Yes. Meltdown is difficult to execute remotely and easiest to perform by code being run by the machine itself. Also, keep in mind vulnerable does not mean that a system has been exploited. Nonetheless being ahead in mitigating the risk is the best approach.
Getting your computer and system patched immediately is prudent security hygiene. It should be the first order of business for anyone responsible for any kind of device mentioned above, which basically means everyone and every device. For more information check out TechCrunch.com on the flaw.