You’ve likely heard about the vulnerabilities recently discovered in the majority of CPUs on the market. These flaws, first discovered by Google’s Project Zero, are being called Meltdown and Spectre and take advantage of core functionality in processor architecture to potentially access information stored in system kernel memory.
Ars Technica recently published an in-depth exploration of Meltdown and Spectre, including the actions taken by the hardware manufacturers involved. Their article describes the two distinct vulnerabilities this way:
Meltdown, applicable to virtually every Intel chip made for many years, along with certain high-performance ARM designs, is the easier to exploit and enables any user program to read vast tracts of kernel data. The good news, such as it is, is that Meltdown also appears easier to robustly guard against. The flaw depends on the way that operating systems share memory between user programs and the kernel, and the solution—albeit a solution that carries some performance penalty—is to put an end to that sharing.
Spectre, applicable to chips from Intel, AMD, and ARM, and probably every other processor on the market that offers speculative execution, too, is more subtle. It encompasses a trick testing array bounds to read memory within a single process, which can be used to attack the integrity of virtual machines and sandboxes, and cross-process attacks using the processor’s branch predictors (the hardware that guesses which side of a branch is taken and hence controls the speculative execution). Systemic fixes for some aspects of Spectre appear to have been developed, but protecting against the whole range of fixes will require modification (or at least recompilation) of at-risk programs. (source Ars Technica)
Some early reports about this issue indicated that only Intel® processors were vulnerable and that impending fixes for these flaws would result in significant performance impacts, but those statements have since been walked back. Additional research has revealed that CPUs from all major manufactures are affected and that the performance impacts due to any necessary fixes may be less significant than first thought. For their part, Intel released a statement detailing the vulnerabilities, as well as a white paper describing potential mitigation steps and outlining new features they intend to put in place to help safeguard future processor generations.
Logic Supply takes the security of client data very seriously. We are working directly with Intel, Microsoft and other vendors to determine and implement the necessary steps to ensure the continued security of our hardware and will provide any updates as they become available.
–Intel Security Alert
–Microsoft Security Center
–Google Project Zero Report