Security researchers have disclosed two new exploits that can be executed against modern processors. Dubbed "Meltdown" and "Spectre," the exploits use similar methods to impact processors from Intel, AMD and ARM across PCs, mobile devices and in the cloud. The researchers explain:
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre are distinct attacks, but they both allow attackers to break isolation between applications to access information. Perhaps the biggest difference, however, is the specific processors affected by each attack. Meltdown, the researchers say, has only been assessed to impact Intel processors. However, the range of potentially affected processors is vast:
More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.
Spectre, on the other hand, appears to have a much wider reach. According to researchers, nearly every type of device is affected by Spectre; it has been verified to work across Intel, AMD and ARM processors. Spectre is harder to exploit than Meltdown, but researchers caution that it is also harder to guard against. The attacks also work against cloud servers, which could leave customer data vulnerable.
Fortunately, at least some fixes are in the wild or on the way. For Google's part, it has an FAQ listing the status of its products and how they're affected:
- Google says it has patched the vulnerabilities in the January security patch to be released to Android devices.
- Chromebooks with an Intel processor and kernel 3.18 or 4.4 are patched with Chrome OS 63. Chromebooks with older kernels will be patched via Kernel Page Table Isolation (KPTI) in a future release. Chromebooks on ARM processors are not known to be vulnerable, but will receive KPTI in a future update regardless.
- Version 64 of the Chrome browser, due to release this month, "will contain mitigations to protect against exploitation."
- Google Home, Chromecast, Google Wifi and Google OnHub are all listed as "no additional user action needed."
- G Suite (Google Apps) has been fixed on the back end and requires no user interaction.
Google also claims that it is "unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices." The question is, of course, how that could change now that more details about the exploits have been revealed and before the myriad Android manufacturers get security patches released to their devices.
For the true nerds among us, ARM has gone into detail about which types of processors using specific ARM designs will be vulnerable to specific types of these attacks.
There are patches against Meltdown for Linux, Windows, and macOS. Spectre is not an easy fix, it seems, and the researchers say that there is ongoing work to "harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre."
You can read more on Spectre and Meltdown, including more technical details, in the researchers' full report.
We may earn a commission for purchases using our links. Learn more.
Android updates are coming faster than ever, but still not fast enough
You'll never see the day where all Android phones get updated to new operating systems on the day they're announced. But we are seeing remarkable improvements.
AT&T zooms past Verizon's 4G network while T-Mobile takes 5G crown
A Market Analysis from Ookla puts AT&T in the top spot for speed in the U.S. beating Verizon and T-Mobile.
Popular platformer Celeste is coming soon to Stadia
Today, the company announced that Celeste and El Hijo are coming to Stadia "soon." It's unclear when they'll launch, but we'll keep you posted as soon as we know more.
With a phone as beautiful as the LG Velvet, you'll want to get a great case
It can be tough to find a great case for a new phone, especially for a phone with a unique and wonderful design like the LG Velvet. But thankfully, there are a lot of solid case choices out there and these are our favorites to keep your LG Velvet safe from when "life happens".