As you have likely heard, Google researchers working for Google’s Project Zero group, along with other research groups and academic institutions, have published information on two new security exploits called Meltdown and Spectre that will have far-reaching consequences for most computing devices, whether on-premise or in the cloud.  In short, a hardware vulnerability has been identified in Intel, AMD, ARM and POWER processors which could allow an attacker to bypass all security measures in an operating system (Windows®, IOS or Linux) and access protected data such as passwords, encryption keys and more.

With vulnerabilities come risks. Understanding the Meltdown and Spectre exploits and the risks associated with them will help you develop the right mitigation options for your company to help lessen their risk and exposure.  Before diving into what Meltdown and Spectre do, it is important for you to understand some fundamentals of how modern processors work.

Most modern microarchitectures rely on a feature called speculative execution, which allows the CPU to predict what code it might need to run for a given process, and run it in advance so the results are ready before they are needed. This can significantly improve the overall performance and efficiency of a CPU.  In addition, processors rely on a critical feature called memory isolation to ensure that privileged processes owned by the operating system Kernel run in a different memory space from processes that run user applications.  This prevents applications from accessing the information from other applications or the operations system.

With those concepts in mind, let’s take a look at Meltdown first. With Meltdown, it is possible for malicious code to abuse Intel and ARM’s speculative execution implementations to get the processor to leak information from other processes – particularly the all-knowing operating system kernel. As a result, Meltdown can be readily used to spy on other processes and sneak out information that should be restricted to the kernel, other programs, containers or other virtual machines.  Given that this is a hardware-based issue, devices are susceptible to this exploit regardless of whether they are running Microsoft Windows®, Mac, iOS, Android or Linux.  Vendors of these operating systems are releasing patches over the coming weeks to partially mitigate the threat from Meltdown, but true mitigation will also likely require processor microcode updates and possibly a replacement processor.  There is more testing to be done by the vendors so it’s best to stay tuned and keep up with the patches.

Spectre differs from Meltdown in a few key ways.  First, while Meltdown primarily affects Intel processors and a few ARM based processors, the Spectre exploit can affect all Intel processors based on Ivy Bridge, Haswell and Skylake, AMD Ryzen CPUs, and several Samsung and Qualcomm processors which use ARM.  Second, researchers have shown that a Spectre attack can be launched from Javascript downloaded in a web page and compromise the memory space of a browser.  Yikes!  Spectre attacks involve inducing a victim machine to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the attacker.  The challenge with Spectre is that this exploit is fundamentally more difficult to mitigate with software patches given it is inherently a hardware flaw. The operating system vendors, such as Microsoft, Apple and Linux, will release patches that partially prevent this exploit, but much is still unknown about the extent of this hardware flaw so at a minimum, the processors will have to be updated with new microcode and likely the processors will have to be replaced in certain circumstances.  Time will tell how much damage this exploit will allow.

Now that you understand what these security exploits are at a high level, let’s take a look at some critical things to know moving forward.

Vendor Responses – Updated 1/15/18