Meltdown and Spectre

From Ars Technica:

The Meltdown and Spectre flaws—two related vulnerabilities that enable a wide range of information disclosure from every mainstream processor,

Source: Meltdown and Spectre: Here’s what Intel, Apple, Microsoft, others are doing about it | Ars Technica

The linked article has a great deal of detail if you are interested.

The short version is vulnerabilities in certain processors can potentially allow Meltdown and Spectre to steal info stored in the memory of other running programs including passwords stored in a password manager or browser.

For what it is worth here is the conclusion from Ars Technica:

While the response to Meltdown and Spectre hasn’t been as smooth as originally hoped, vendors appear to have done a thorough job. Meltdown, though easier to exploit, is also easier to protect against; the operating system changes appear successful and should do a solid job for the Intel, Apple, and future ARM chips that are susceptible to the attack.

Spectre, however, is going to be a trickier customer. It doesn’t have any clean, simple fix. Operating system changes, ideally in conjunction with greater hardware control over branch prediction, will provide protection in some scenarios, but the array-bounds version of Spectre is going to require careful examination of, and repair to, vulnerable applications. Unlike the other attacks, there doesn’t appear to be any way of implementing an operating system-level fix, and the application of appropriate application-level fixes is in all likelihood going to require lots of manual effort by developers.

Longer term, it seems likely that Meltdown will recede into the distance—an annoyance, perhaps, but fully patched and protected against—but the rather more subtle Spectre is going to be with us for a while.

Leave a Reply

Your email address will not be published.