Yusuf On SecuritySecurity news, opinion and advice

Meltdown and Spectre: two securities issues at the heart of almost every computer in use

The Meltdown and Spectre are serious vulnerabilities and have wide reaching impact. They affect nearly every computer and device running current processor. Big vendors are affected including Microsoft, Apple MacOS, Google Android,  ChromeOS as they all either run on Intel or ARM. The loopholes existed for years. The flaws take advantage of loopholes that exist in most of modern processors versions too. 

They call it Meltdown and Spectre. As these flaws go these days -perhaps famously ever since Heartbleet, they come with their custome logoes too. 
These two exploits were nicknames on how each affects the system; One melting down the secure delimitation between the OS and user applications running on top of it. The other, Spectre breaks isolation between different applications. Spectre flaws results an App with a bad intention could steal secrets from other Apps running on your phone: A process is stealing data from adjacently running process because they both share common platform. This is why Cloud Service providers are worst affected because they run or host numerous customers data or applications on the same hardware. 

A running list of affected microprocessors are hosted on US CERT. You can also keep an eye on who patched what.

These are not software level vulnerabilities but information disclosure vulnerabilities just like Heartbleed. Especially they are hardware vulnerabilities. The flaws are to do with the design of the microprocessor’s operation. 

The research papers can be obtained from theirs official site but they are available directly from here and  here.

The reason why these is so critical is because they affect millions of computers. Specifically the flaw grant complete access to protected memory. Applications do not allow other application’s process to read or access its protected memory space. This breaks that protections and could therefore read area of computer memory it should not have access to. In essence the vulnerability thought not seen exploited in the wild, could allow an attacker to read secrets like password, or anything contained in that memory on the exploited computer. 

What makes even more devastating is that it can be exploited over the Internet through the use of JavaScript. This could extend to browsers retrieving site servicing ads loaded with malware. 
The exploit were released ahead of their intended time and this resulted everyone scrambling to push something out sooner rather than later. 

[update] Microsoft has put out a guide to patching agains these flaws:

1. Endure that your Anti-Virus vendor has updated their application and you have their lates update. 

2. Updates to the latest Windows update and particularly make sure this include the January 2018. 

3. Apply the microprocessor firmware release by your particular maker. 

Users can do little other than updating their system. 

Author
Yusuf
Join the discussion

Further reading

What will it take?

A great piece on what it will take to improve the safety of the connected world. Read it here.

Extended detection and response (XDR)

Extended detection and response (XDR) captures threat data from previously isolated security tools throughout the organizations tech stack to enable...

Log4j Vulnerabilities

Towards the end of November, a researcher from Alibaba discovered a fault (CVE-2021-44228) in a well known open-source logging library called...