Meltdown and Spectre – Critical Hardware Security Flaws of the Processors

4 January 2018

Meltdown and Spectre - Critical Hardware Security Flaws of the Processors

It has been confirmed that a newly discovered flaws in Intel Processors at the hardware level could allow programs to steal data from running applications. In a typical case, programs are not allowed to read data from other programs. However a malware exploiting these new vulnerabilities can get data from the memory of currently running programs. This includes confidential information such as business-critical documents, passwords, login details, encryption keys, etc. The vulnerabilities have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715).

The 2 differ as follows in the way they perform; Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.

According to the research papers published by researchers, a javascript program running in a web browser could perform this exploit as well.

It should be noted that Cloud providers which use Intel CPUs and as virtualization without having patches applied and hypervisor systems, such VM Hosting Servers that rely on containers that share one kernel will be particularly affected by both vulnerabilities.

Affected Systems

  • Meltdown affects every Intel processor which implements out-of-order execution, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013).
  • Spectre on the other hand affects all modern processors capable of keeping many instructions in flight. Essentially, almost every system from Desktops, Laptops, Cloud Servers, VM Hosts to even Smartphones are vulnerable. It has been tested and verified on Intel, AMD and ARM Processors.

Note that unlike typical malware exploits that can leave traces in log files, Meltdown and Spectre does not leave any trace, making it more difficult to determine if a system is already infected.

Securing against Meltdown and Spectre

Patches are being deployed/built for all major Operating Systems by their respective developers. This includes Linux, Windows and OS X. Please follow following link to obtain security patch updates and mitigation.

Do note however that these patches have been reported to degrade system performance by a notable percentage, although it would be more advisable to secure your system than leave it vulnerable.

More information

16 April 2024 [NO.TCSA : 20240416-1-1-P]

Critical Command Injection Vulnerability Found in Palo Alto Networks GlobalProtect

9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy