At the beginning of the year 2 major CPU bugs have been revealed
Meltdown and Spectre
Bugs in modern computers leak passwords and sensitive data.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
Yep that is scary and someone on twitter perfectly summarised the situation
Here the summaries
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
You can download the Meltdown paper here
or here directly the PDF
meltdown.pdf (184.1 KB)
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
You can download the Spectre paper here
or here directly the PDF
spectre.pdf (128.8 KB)
Here some posts
on Google Project Zero Blog
Reading privileged memory with a side-channel
on ars technica
“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
Immediate concern is for Intel chips, but everyone is at risk.
on boing boing
Virtually every modern computer is vulnerable to a pair of devastating attacks, and there's only a fix for one of them, and it sucks
on NY Times
Researchers Discover Two Major Flaws in the World’s Computers
on The Guardian
Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers
Everything from smartphones and PCs to cloud computing affected by major security flaw found in Intel and other processors – and fix could slow devices
on Google Security Blog
Today's CPU vulnerability: what you need to know
on Mozilla Security Blog
Mitigations landing for new class of timing attack
Fun times ...
Here you can see a somewhat clear summary of the situation
here the summary of the full thread
Apparently I don't know how to thread, so here goes my second attempt
at blasting you with critical news on this "Intel Chip problem" which is
not an Intel problem but an entire chipmaker design problem that affects
virtually all processors on the market.
Christmas didn't come for the computer security industry this year.
A critical design flaw in virtually all microprocessors allows attackers
to dump the entire memory contents off of a machine/mobile device/PC/cloud server etc.
Our story on the motherlode of all vulnerabilities just posted here:
More will be post soon.
We're dealing with two serious threats. The first is isolated to #IntelChips,
has been dubbed Meltdown, and affects virtually all Intel microprocessors.
The patch, called KAISER, will slow performance speeds of processors by as much as 30 percent.
The second issue is a fundamental flaw in processor design approach, dubbed Spectre,
which is more difficult to exploit, but affects virtually ALL PROCESSORS ON THE MARKET
(Note here: Intel stock went down today but Spectre affects AMD and ARM too), and has NO FIX.
Spectre will require a complete re-architecture of the way processors are designed
and the threats posed will be with us for an entire hardware lifecycle, likely the next decade.
The basic issue is the age old security dilemma: Speed vs Security. For the past decade,
processors were designed to gain every performance advantage. In the process, chipmakers failed
to ask basic questions about whether their design was secure. (Narrator: They were not)
Meltdown and Spectre show that it is possible for attackers to exploit these design flaws
to access the entire memory contents of a machine. The most visceral attack scenario is an
attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals...
Data from other customers renting space on that same Amazon/Google/Microsoft cloud server,
then marches onto another cloud server to repeat the attack, stealing untold volumes of data
(SSL keys, passwords, logins, files etc) in the process.
Basically, the motherlode. Meltdown can be exploited by any script kiddie with attack code.
Spectre is harder to exploit, but nearly impossible to fix, short of shipping out new processors/hardware.
The economic implications are not clear, but these are serious threats and
Chipmakers like Intel will have to do a full recall-- unclear if there's even manufacturing capacity
for this-- OR customers will have to wait for secure processors to reach the market, and do their own risk
analysis as to whether they need to swap out all affected hardware.
Intel is not surprisingly trying to downplay the threat of these attacks, but proof-of-concept attacks
are already popping up online today, and the timeline for a full rollout of the patch is not clear.
And that's just for the Meltdown threat. Spectre affects AMD and ARM too.
But judging by stock moves today (Intel down, AMD up), investors didn't know that, taken together,
Spectre and Meltdown affect all modern microprocessors.
(Ok I'm back. Thanks United) Meltdown and Spectre affect most chipmakers including those from
AMD, ARM, and Intel, and all the devices and operating systems running them (GOOG, AMZN, MSFT, APPL etc).
The flaws were originally discovered last June by a researcher at Google Project Zero
(shout out @ Jann Horn) and then separately by Paul Kocher and a crew of highly impressive researchers
at Rambus and academic institutions. Originally public disclosure was set for next week
But news of Meltdown started to leak out (shout out @TheRegister) yesterday, so the disclosure
was moved up a week to right now. The problem with this rushed timeline is that we don't necessarily
know when to expect Meltdown patches from tech cos.
Google says its systems have been updated to defend against Meltdown
Microsoft issued an emergency update today. Amazon said it protected AWS customers running Amazon's
tailored Linux version, and would roll out the MSFT patch for other customers 2day
I am getting emails from vendors telling me all is fixed. They are clearly not fully read up
on Spectre, which should not be underestimated. Yes, it is far more difficult to exploit.
But not above sophisticated cyber criminals/nation states looking to grab your SSL keys.
What You Can Do About It
Well... you can patch/update your system if a patch is available,
and then that will reduce your CPU performance by ~ 30%.
But if you don't want to patch or nothing is available yet you should
at least consider to take measures in your browser.
Let me try to simplify the problem in layman terms as much as possible,
meltdown and spectre allow to peak into the CPU and grab stuff like your password in clear
(it kind of remind me of FireSheep from many years ago even if those are completely different stuff).
That's bad, I mean real real bad, any executable on your system could spy on you,
but it get worst as this thing can also be exploited from the browser which make any website
you visit a threat: eg. visit foobar.com and get your paypal login/password stolen.
It kind of sucks but here what I would advise if you browse the web with Google Chrome
install uBlock Origin
go to chrome://settings/content
switch from “Allowed” to “Blocked”
add some domains in the “Allow” whitelist
enable Strict Site Isolation
go to chrome://flags
search “Strict site isolation”
and click “Enable”
go to chrome://flags/#enable-site-per-process
and click “Enable”
restart the browser
Well ... it is as simple as that, right now I can guarantee you there are dodgy people hard at work
who gonna weaponize the informations found in the different white papers and the very first place
where they gonna try to spread it is through advertising payloads.
Here Few More Links for Mitigation , Patches, etc.
on Bleeping Computer
List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates
KPTI patches are out for Debian Stable
Ubuntu Updates for the Meltdown / Spectre Vulnerabilities
In conclusion, everyone is panicking and they are right to do so, you should too.