Tech News · Technology Security

Meltdown and Spectre Security Flaw

Although most news  initially reported this flaw as present in an Intel processor, it is now known to affect other processors like AMD and ARM as well. That means all  devices using these processors like PCs, MacBooks, servers, Android and iOS devices are affected.

What are the Spectre and Meltdown security flaws?

These are security holes introduced by two different optimization techniques used by the processors namely: Speculative Execution and Out-of-order execution.

The technique used to exploit Speculative Execution is called Spectre and has two variations. One that takes advantage of the bounds checks bypass and the other that exploits the capability to do branch target injection by altering the branch target buffer to execute the rogue process.

The technique use to exploit the out-of-order execution performance feature is called Meltdown. This enables a rogue process to read memory of another process or virtual machine in the cloud without permission or privileges.

How to protect yourselves?

Most of the tech industry giants have responded quick. Google in particular developed a mitigation technique to protect against Spectre and shared it with other partners.

Android

The Android 2018-01-05 Security Patch Level(SPL) includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors. These changes were released to Android partners in December 2017

Chromebooks

OS versions prior to 63 are not patched. Chrome OS systems started receiving version 63 on 12/15/2017.

Go to the Google FAQ for steps to take on Google cloud and other Google products.

Microsoft Windows 10

Microsoft has put out an update(KB4056892) to mitigate this for Windows 10 that is available here.

Apple Devices: MacBook, iPhone, iPad, Apple TV

As of Jan 4th, Apple confirmed that it has addressed the recent “Meltdown” as well as Spectre  vulnerability in previously released iOS 11.2.2, macOS High Sierra 10.13.2, and tvOS 11.2

Browsers

Firefox 57.0.4 released on Jan 4, 2018 includes the two mitigations

Microsoft Edge: Microsoft has released an update to Windows Client to fix the vulnerability on Edge(KB4056890). Check details.

Chrome 64, due to be released on January 23, will contain mitigations to protect against exploitation.

Safari Apple has released new security updates aimed at protecting Safari and WebKit from the Spectre attack. Check details here.

Amazon Cloud

Amazon Web Services(AWS) team put out a security bulletin on Jan 03, 2018 with instructions for customers to follow on protecting their servers against the vulnerability.

 

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s