Security Alerts Meltdown & Spectre Vulnerabilities
Tuesday, May 1, 2018
A flaw dubbed Meltdown was discovered within speculative execution in Intel CPUs. This flaw potentially allows a user-level application to perform speculative execution of kernel-level memory.
The implications are that any program could defeat all kernel-level security features, such as address space randomization. The proposed fixes to major operating systems would result in performance penalties between 5% and 30%.
A second flaw named Spectre was disclosed by Google’s Project Zero. This flaw works similarly to Meltdown, but the impact is only to other user-space applications. This could allow a malicious application to surreptitiously view the memory contents of another application. This vulnerability affects Intel, AMD, and ARM CPUs with speculative execution.
A Windows Meltdown patch has been pushed to Windows 10 machines and will be available to Windows 7 and 8 next Patch Tuesday. Linux patches have been created but application will depend on each distribution. Apple already has a patch available in the latest releases for Sierra (10.12) and High Sierra (10.13).