Skip to main content

Intel, ARM and AMD processors all impacted by new Meltdown and Spectre exploits, Google issuing patches

Security researchers have disclosed two new exploits that can be executed against modern processors. Dubbed "Meltdown" and "Spectre," the exploits use similar methods to impact processors from Intel, AMD and ARM across PCs, mobile devices and in the cloud. The researchers explain:

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre are distinct attacks, but they both allow attackers to break isolation between applications to access information. Perhaps the biggest difference, however, is the specific processors affected by each attack. Meltdown, the researchers say, has only been assessed to impact Intel processors. However, the range of potentially affected processors is vast:

More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

Spectre, on the other hand, appears to have a much wider reach. According to researchers, nearly every type of device is affected by Spectre; it has been verified to work across Intel, AMD and ARM processors. Spectre is harder to exploit than Meltdown, but researchers caution that it is also harder to guard against. The attacks also work against cloud servers, which could leave customer data vulnerable.

Fortunately, at least some fixes are in the wild or on the way. For Google's part, it has an FAQ listing the status of its products and how they're affected:

  • Google says it has patched the vulnerabilities in the January security patch to be released to Android devices.
  • Chromebooks with an Intel processor and kernel 3.18 or 4.4 are patched with Chrome OS 63. Chromebooks with older kernels will be patched via Kernel Page Table Isolation (KPTI) in a future release. Chromebooks on ARM processors are not known to be vulnerable, but will receive KPTI in a future update regardless.
  • Version 64 of the Chrome browser, due to release this month, "will contain mitigations to protect against exploitation."
  • Google Home, Chromecast, Google Wifi and Google OnHub are all listed as "no additional user action needed."
  • G Suite (Google Apps) has been fixed on the back end and requires no user interaction.

Google also claims that it is "unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices." The question is, of course, how that could change now that more details about the exploits have been revealed and before the myriad Android manufacturers get security patches released to their devices.

For the true nerds among us, ARM has gone into detail about which types of processors using specific ARM designs will be vulnerable to specific types of these attacks.

There are patches against Meltdown for Linux, Windows, and macOS. Spectre is not an easy fix, it seems, and the researchers say that there is ongoing work to "harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre."

You can read more on Spectre and Meltdown, including more technical details, in the researchers' full report.

18 Comments
  • Wow, this is going to be an interesting story to follow. It would really be something if IOS devices are not impacted, however, since it appears that most cloud servers are it would be a moot point..
  • Since ARM processors are impacted, it very well could affect iOS as the A-series chips use the ARM architecture
  • Apple Devices are impacted. Apple uses ARM / Intel chips
  • Read an article about an Open-Sourced CPU that terminates all support for Intel's legacy x86 architecture as a permanent resolution (http://www.zdnet.com/article/why-intel-x86-must-die-our-cloud-centric-fu...). I have to say that I agree. It's a pity that Oracle bought Sun Sun Microsystems instead of Redhat; because then they would have pushed the " OpenSPARC T2" development. Giving us much needed options to Intel.
  • What exactly would a user need to do to get affected by this? What I mean is, would you have to download malware first, open a bad email attachment, etc.? Or is it something that wouldn't need a user's interaction for a bad guy to exploit? I'm only talking about home users on their personal computers, not servers or cloud stuff. I've read a lot about what is affected and what the "bad hombres" can get, but not HOW a person might actually fall prey to this vulnerability.
  • You would have to get infected by malware first.
  • As I understand it, you need to have malware installed for this to affect you. It will probably never be a big deal on mobile devices, since the vast majority of software is installed through the App Store and Play Store, which are both pretty likely to weed this kind of crap out.
  • Sorry, but there are numerous incidents of malware getting into the app stores for both Apple and Google. Just because an app is in the store does not guarantee its safety.
  • Actually, even through browser one could be attacked easily, which is why Mozilla released yesterday for Firefox a patch the 57..0.4., not just by installing software. Nothing new about attack through infected site codes, ads, etc....
  • The headline is misleading. Meltdown (the really bad bug) affects ONLY Intel x86 processors from the last 20 years and ARM Cortex-A75 but not AMD. Spectre affects all processors with Intel being fully vulnerable but AMD only vulnerable to 1 type of attack. Not sure of the status of ARM. Apple devices are just as vulnerable as everything else out there because it's a CPU design fault. However Apple have already patched MacOS, Microsoft are patching Windows 10 today and the Linux kernel has already been patched. The industry knew about this bug for 6 months but kept it under wraps whilst they came up with a fix so the boogie men out there wouldn't be made aware and write malware to exploit it. Someone leaked the info early which is why there's a big media panic and a huge rush to get it fixed quickly. For the average Joe/Joanne, you can just carry on as normal and use the same safeguards you normally do.
  • I hate to speculate, but this to me sounds like a Google leak as notice how it comes out after a pixel patch and just prior to Microsoft patch Tuesday. Doesn't really matter as it only "leaked" a week earlier than anticipated. It is interesting that Google discovered it. In the long run it is good that these things are doing, patched, and reported.
  • Seems to be that they should just find the bug and fix it without all the publicity! Letting this crap out in the media gets every ******* out there trying to exploit it...
  • The "Bug" is a hardware flaw so any sofware/firmware fix will have a negative impact on performance. The real & permanent solution to this is a completely new CPU architecture that isn't based on INTEL's Licensed architecture. However this is a very, VERY EXPENSIVE solution that would take at least 3 years to fully implement. Good times :)
  • http://amp.abc.net.au/article/9306764
    Seems Apple aren't immune either..
  • They can patch this issue but they can't fix the play store. Just remember folks, this is what you get for security from google and the play store: http://www.zdnet.com/article/android-security-flashlight-apps-on-google-... http://www.zdnet.com/article/phony-android-security-apps-in-google-play-... The lack of security in the play store is unbelievable. Google literally doesn't care about secure apps in the play store or they would have fixed it by now.
  • A) Why would you download a flashlight app when it's built in to the OS?
    B) Why would you download some bs security app from a company you've never heard of? I'm not saying this excuses Google, but the end user has to take some responsibility as well. They can't always protect the stupid. That's Apple's job.
  • "Google says it has patched the vulnerabilities in the January security patch to be released to Android devices." Well, the ones that are being updated by Google. The rest of you (ie: most Android devices), good luck!
  • The common denominator in this is INTEL. All the other CPUs licensed their product from Chipzilla's architecture, hence adopting all it's flaws.