Meltdown and Spectre exploit the critical vulnerabilities in modern processors, such as the leaking of passwords and sensitive data. Following the discovery of a flaw in processor chips several months ago, researchers secretly contacted various impacted vendors to give them time to work on patches. They avoided broadcasting the information on social media, so as not to alert hackers to the vulnerability and the potential hacking opportunity.
Almost all computers and mobile devices are vulnerable to the Meltdown and Spectre attacks
Due to a widespread computer chip flaw, almost all computers and mobile devices are vulnerable to the Meltdown and Spectre attacks. Anyone with a computer or device running Windows, OS X, Android, or others — virtually all software platforms — are equally vulnerable. Every Intel processor is potentially at risk, which is effectively every processor manufactured since 1995 (with the exception of Intel Itanium and Intel Atom before 2013). Testing confirmed chips going back to 2011 were vulnerable. As of this writing, experts have also verified Spectre impacted ARM and AMD processors, however their vulnerability to Meltdown is yet to be confirmed. Microsoft, Linux and OS X have released patches to address the issue of the chip flaw. One additional concern: Microsoft says a user’s antivirus software could actually stop them from receiving the required emergency patches issued for Windows.
Why are these attacks dangerous?
Both Meltdown and Spectre exploit critical vulnerabilities in modern processors. They allow the exposure of critical information stored deep inside computer systems. Programs typically do not permit the reading of data from other programs. But Meltdown breaks the mechanism that isolates user applications, thereby allowing unauthorized access to arbitrary system memory. This puts sensitive data, proprietary information, secrets of programs, and operating system at risk. Spectre also breaks the isolation between different applications. It goes this by tricking error-free programs into disclosing information. Then exploiting established practice safety checks and other features.
Both attacks use side channels to obtain the sensitive information from the accessed memory location. It is not safe to work with sensitive information on an unpatched operating system. There is a chance of leaking the information. This applies to personal computers, cloud infrastructure applications, mobile devices and more. A wider risk is that Meltdown theoretically applies across cloud platforms. It is against massive arrays of network computers routinely transferring data among a wide range of users and instances.
Is there any good news?
Yes. Meltdown is difficult to execute remotely and easiest to perform by code ran by the machine itself. Also, keep in mind vulnerable does not mean that a system went through exploitation. Nonetheless being ahead in mitigating the risk is the best approach.
What is next?
Getting your computer and system patched immediately is prudent security hygiene. It is the first order of business for anyone responsible for any kind of device we mention above. Therefore, everyone and every device.