Details are now available on two new security vulnerabilities that affect nearly all modern computing devices.
“Meltdown” and “Spectre” are the two vulnerabilities, and they affect Intel, AMD and ARM Holdings processors. Nearly all devices that are powered by those processors, including laptops, smartphones, desktop PCs and servers can be affected. These bugs could allow for the access and/or theft of sensitive data from any affected device. In order to retrieve this data, hackers must run software on the devices being targeted.
The main problem with Meltdown and Spectre is that if a hacker can manage to access the PC and run code, they can gain access to any of the information on the affected device.
Patches are being put in place to protect against these vulnerabilities, although a patch for Spectre will be much more difficult due to the fact that it requires a redesign of the processor. The U.S. Computer Emergency Readiness Team has issued a statement asking users to contact their software vendors about ways to patch these vulnerabilities.
What are the Differences between “Meltdown” and “Spectre”?
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
For More information on these two vulnerabilities, and ways you can patch them, visit: https://meltdownattack.com/
(Story via EdTech Magazine)