What is it?
Nearly all computers and other smart devices worldwide have been revealed to have significant security issues within their processors leaving them vulnerable to attack. These vulnerabilities can be found in almost all Intel developed CPUs since 1995 and this also affects ARM and AMD chipsets. Both bugs were reported by teams such as Google Project Zero, Cyberus Technology, Graz University of Technology, the University of Pennsylvania and the University of Maryland. Google’s Project Zero released further details on the bug, which affects all operating systems.
Why does it matter?
The hardware flaws, known as 'Meltdown' and 'Spectre', allow programs to steal data owned by other processes on the computer. Meaning passwords, data, emails and personal information are vulnerable to exploit.
Meltdown breaks the barrier between user applications and the operating system. If this is exploited it will allow a program to access the memory of the system and steal the content, including passwords of other programmes and the operating system.
Meltdown can be patched with a software update, however, this may come at the cost of performance.
Spectre breaks the barrier between different applications. It allows attackers to trick programs, which follow best practices, into leaking valuable information. Google states, “It's harder to exploit than Meltdown, but it is also harder to mitigate” There is likely no hardware solution to Spectre, but software applications will need to be updated to guard against it.
What can you do?
Fixes are available for both Meltdown and Spectre from several manufacturers, as follows:
Microsoft has released updated recent versions of Windows, older supported versions should be patched soon. These updates are available via Microsoft Update as normal. More details are available here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Linux kernel patches are now available and are currently being rolled out by the various distributions.
Azure has been patched, but VMs will require a reboot to pick up the fix. A forced reboot will happen on the 10th January if the VM has not been rebooted before then.
Both vulnerabilities also affect VMware and XenServer; patches for both hypervisors are available.
Like many cloud platforms, cloud is affected but only with minimal risk but will be patched within the next 72 hours.
For more information about Meltdown and Spectre visit the researcher's website: www.meltdownattack.com