These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are not typically permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
This sensitive data might include your passwords stored in the password manager or browser, your personal photos, emails, instant messages and even business critical documents. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. This vulnerability basically melts security boundaries which are normally enforced by the hardware. Desktop, Laptop, and Cloud computers are effected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information. Luckily there are patches against the Meltdown for Linux, Windows and OS X operating systems.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices into leaking their secrets.In fact, the safety checks of said best practices actually increase the attack surface and may make more applications susceptible to Spectre. Almost every system is affected by Spectre: Desktops, Laptops, cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, Spectre is verified on Intel, AMD, and ARM processors. Spectre tricks other applications into accessing arbitrary locations in their memory. Spectre attacks involve including a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary.
For everyone – whether you are a system administrator for a very large enterprise, or you have a single home computer – Install this patch as soon as it is available from your vendor. For consumers, enabling auto update ensures that patches install as soon as they are available to your computer.
