With the Equifax Inc. breach still visible in our rearview mirror, we didn’t expect to be discussing another massive cyber vulnerability quite so soon. But two recently-discovered processor flaws called Meltdown and Spectre may have implications that are far more widespread and serious. The Equifax debacle affected roughly half of the adults in the United States. Between them, Meltdown and Spectre affect the processors of nearly every computer, tablet, smartphone, and cloud computing service in current use. Virtually every person, business, military, and government agency in the world is a potential victim.
How did this happen?
Meltdown, which is specific to Intel chips, exploits the way speculative executions are stored in a processor's cache. Essentially, it develops a model of what’s currently loaded in the processor by digging through the processor's trash, and then uses that model to reconstruct parts of the computer's high-privilege memory, including passwords and sensitive personal information.
By contrast, Spectre, directly exploits the process of speculative execution. A Spectre attack fools a target processor into speculatively executing code sequences that should not be active during correct program execution. This can force even the most secure applications to render up protected information.
Every processor manufacturer implements speculative execution in its own (usually proprietary) fashion. As a result, a Spectre exploit which affects one set of processors may not be effective against another set of processors. This makes Spectre far more difficult to execute than Meltdown, but also far more difficult to prevent or repair.
What’s at risk?
What’s the fix?
A resolution for Spectre is less easily obtained. The flaw affects nearly all microprocessors on the market, and according to Google Project Zero (the security research group who discovered both weaknesses), a fix for Spectre may require the development and fielding of an entirely new generation of processor chips.
Links:
Apple says all iPhones, iPads, and Macs are affected.
No comments:
Post a Comment