A report from The Register yesterday claimed that Windows and Linux developers were scrambling to fix a “fundamental design flaw in Intel’s processor chips.” The flaw theoretically allows any program to view the layout or contents of protected kernel memory areas, which often contain passwords, login keys, cached files, and other sensitive data. Even a web app could potentially read kernel-protected data.
After this report (and a tweet with sample code) was published, Google’s Project Zero security team came forward with more details. The team said in a blog post that it discovered the vulnerability in May 2017, and quickly notified Intel, AMD, and ARM. Those companies have been working on fixes since then, and the full public details were scheduled to be released on January 9. Now that the cat is out of the bag, Google has released some of its findings early.
Spectre and Meltdown
Google reported three different variants of the flaw – known as CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. The first two are referred to as ‘Spectre,’ and the last is called ‘Meltdown.’ Meltdown, the vulnerability originally reported by The Register, allows hackers to read protected memory. It’s certainly a major problem, but it can be easily fixed by OS updates.
Spectre steals data from the memory of other applications running on a machine. Google said that Meltdown seems to be limited to Intel chips, but Spectre affects almost all modern processors – including those from AMD, ARM, and Intel. I won’t explain the details of Spectre here, because I’m far from a security expert and my explanation probably wouldn’t be accurate, but this article from Wired does a great job of outlining the problem.
Effects for users
At this point you’re probably wondering how these vulnerabilities affect you. Meltdown is the easier vulnerability to fix, and updates are already going out (or about
Incoming search terms:
- blackberry spectre vuln
- droid turbo spectre meltdown