Security Alerts Meltdown & Spectre Vulnerabilities

Tuesday, May 1, 2018

A flaw dubbed Meltdown was discovered within speculative execution in Intel CPUs. This flaw potentially allows a user-level application to perform speculative execution of kernel-level memory.

The implications are that any program could defeat all kernel-level security features, such as address space randomization. The proposed fixes to major operating systems would result in performance penalties between 5% and 30%.

A second flaw named Spectre was disclosed by Google’s Project Zero. This flaw works similarly to Meltdown, but the impact is only to other user-space applications. This could allow a malicious application to surreptitiously view the memory contents of another application. This vulnerability affects Intel, AMD, and ARM CPUs with speculative execution.

A Windows Meltdown patch has been pushed to Windows 10 machines and will be available to Windows 7 and 8 next Patch Tuesday. Linux patches have been created but application will depend on each distribution. Apple already has a patch available in the latest releases for Sierra (10.12) and High Sierra (10.13).