Recent reporting has brought to light serious vulnerabilities with a common time saving function of Central Processing Units (CPUs). This process is known as speculative execution, where a CPU will predict the most likely outcome of a process branch. By doing this, the CPU can execute other processes, which leads to increased speed. When the CPU is wrong and the process branches differently, the state of the process is rolled back.
Meltdown is the name given to CVE-2017-5754 (called “rogue data cache load”), which notes that during speculative execution unprivileged users may be able to access system level data by analyzing the cache. Spectre is two different vulnerabilities rolled into one name. It refers to CVE-2017-5753 (bounds check bypass) and CVE-2017-5715 (branch target injection). Spectre potentially allows access to kernel (the layer between an application and the system) memory by a user application by exploiting the time it takes a CPU to validate an access call.
This would allow a malicious actor to not only gather information on your machine, but servers you interact with (such as ones run by Google Cloud Services or Amazon Web Services). With this access, they can gather passwords, PINs, photos, messages and more.
These vulnerabilities impact Intel, AMD and ARM processors made after 1995 that use the speculative execution function. Because this is an issue with the CPU, it impacts android, iOS, Windows, Linux, Unix across computers, tablets, smartphones and even gaming consoles such as the Nintendo Switch. Patches are being created to fix the vulnerability, and some have already been released.
What does this mean for you? To protect your sensitive data, you will need to download a security update for your machine. Initially there was speculation that all systems that were updated would notice a performance decrease, up to 30% due to the fix of speculative execution. However, Google notes in their security blog that they have observed negligible impact on performance after the fixes.
This article was written by guest writer FragginKris (Twitter: @fragginkris)