Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect "every processor [released] since 1995."
Google says the two bugs can be exploited to "to steal data which is currently processed on the computer," which includes "your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents."
Furthermore, Google says that tests on virtual machines used in cloud computing environments extracted data from other customers using the same server.
The bugs were discovered by Jann Horn, a security researcher with Google Project Zero, Google's elite security team, and were based on previous academic research published by researchers from the Graz University of Technology, Cyberus Technology, and others.. These are the same bugs that have been reported today as affecting Intel CPUs.
Google was planning to release details about Meltdown and Spectre next week but decided to publish the reports today "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."
Intel's stock price took a serious dip today following what Intel described as "inaccurate media reports."
Issues described as hardware bugs that need software fixes
The issues at heart of all hoopla that happened today concern two attack scenarios that Horn discovered and reported to CPU vendors in June 2017.
Horn describes these issues as hardware bugs that will need both firmware patches from CPU vendors and software fixes from both OS and application vendors.
According to Google, everything and everyone is affected. This includes all major chipset vendors (Intel, AMD, ARM), all major operating systems (Windows, Linux, macOS, Android, ChromeOS), cloud providers (Amazon, Google, Microsoft), and application makers.
Flaws discovered in CPU "speculative execution"
The actual flaws reside in a technique called "speculative execution" that is employed by all modern CPUs. This is a basic optimization technique that processors employ to carry out computations for data they "speculate" may be useful in the future.
The purpose of speculative execution is to prepare computational results and have them ready if they're ever needed. If an application does not need the "speculated" data, the CPU just disregards it.
Google says that Horn discovered a way to use speculative execution to read data from the CPU's memory that should have not been available for user-level apps.
He discovered three flaws that he combined in two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715).
What are Meltdown and Spectre
Google described the two attacks as follows:
Google says it chose the Meltdown codename because "the bug basically melts security boundaries which are normally enforced by the hardware."
"The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time," Google says. "Spectre is harder to exploit than Meltdown, but it is also harder to mitigate."
Detecting Meltdown and Spectre will be hard
Google says that detecting attacks leveraging these two techniques is nigh impossible at the moment.
"The exploitation does not leave any traces in traditional log files," Google said, adding that while possible in theory, antivirus products won't be able to detect such attacks in practice.
Because of this, Google wasn't able to establish if Meltdown or Spectre were ever used in live exploitation scenarios in the wild.
By the time of today's announcement, most OS makers have already implemented patches. Linux, macOS, and Android have already released them, while Microsoft is scheduled to release fixes next week on Patch Tuesday. Cloud providers are scheduled to update their infrastructure this week and the next.
Most CPUs released since 1995 are vulnerable in some way
At the time of writing, Google believes that "every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013)" is affected by Meltdown.
Google says it verified Meltdown only against Intel CPUs, but not ARM and AMD. Nonetheless, Intel has a market share of than 80% on desktops and more than 90% on the laptop and server markets, meaning that a large number of desktops, laptops, and servers are affected.
Meltdown's impact on mobile devices is unknown, but patches are already available for Android.
Google says that they've tested and verified Spectre against Intel, AMD, and ARM processors, and the attack affects desktops, laptops, cloud servers, and smartphones. The attack is also believed to affect almost all CPUs released in recent years.
The bugs are truly as "worse as it gets" when it comes to IT security, as it allows regular user-level code to break through years of hardware-level security boundaries and access data believed to be secure. Users should not skip forthcoming security updates.
Academic researcher papers on both the Meltdown and Spectre vulnerabilities are also available, for technically-inclined users.
UPDATE: Several companies have started releasing patches for the Meltdown and Spectre flaws. You can find a full list here.
Comments
Occasional - 6 years ago
Big story (even given the size of cybersecurity stories in 2017). Caught part of Intel CEO on financial new program. He disputed the term "bug"; as he said the chips operated as they were designed. I guess it's just that the design didn't anticipate the possibility of this misuse (as people didn't anticipate commercial airliners being hijacked and used as guided missiles).
Perhaps the most important aspect of the story is as another demonstration that computer systems, of all types, are inherently vulnerable to unanticipated misuse of the fundamental technology which makes them so useful. Caveat utilitor.
spamtrash - 6 years ago
Hmm.. I am looking for your news related, and I have that strange feeling that you have placed majority of your savings in Intel shares.
That could explain for instance the "featured" way of the citation you are using, like on the beginning: you wrote: <<company's assessment affect "every processor [released] since 1995.">>
What is completely changing the original meaning of the original statement:
<<More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995>>
Of course I can be wrong and continuous underlining that others are affected (while the article clearly says that Intel is EXCLUSIVELY (by now) touched by Meltdown, while all processors are vulnerable to (more difficult to exploit) Spectre can be accidental and not related with the intention to keep the Intel reputation by "accidental" change of the statements of the peoples who discovered it...