Logos for Meltdown and Spectre attacks

Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect "every processor [released] since 1995."

Google says the two bugs can be exploited to "to steal data which is currently processed on the computer," which includes "your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents."

Furthermore, Google says that tests on virtual machines used in cloud computing environments extracted data from other customers using the same server.

The bugs were discovered by Jann Horn, a security researcher with Google Project Zero, Google's elite security team, and were based on previous academic research published by researchers from the Graz University of Technology, Cyberus Technology, and others.. These are the same bugs that have been reported today as affecting Intel CPUs.

Google was planning to release details about Meltdown and Spectre next week but decided to publish the reports today "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."

Intel's stock price took a serious dip today following what Intel described as "inaccurate media reports."

Issues described as hardware bugs that need software fixes

The issues at heart of all hoopla that happened today concern two attack scenarios that Horn discovered and reported to CPU vendors in June 2017.

Horn describes these issues as hardware bugs that will need both firmware patches from CPU vendors and software fixes from both OS and application vendors.

According to Google, everything and everyone is affected. This includes all major chipset vendors (Intel, AMD, ARM), all major operating systems (Windows, Linux, macOS, Android, ChromeOS), cloud providers (Amazon, Google, Microsoft), and application makers.

Flaws discovered in CPU "speculative execution"

The actual flaws reside in a technique called "speculative execution" that is employed by all modern CPUs. This is a basic optimization technique that processors employ to carry out computations for data they "speculate" may be useful in the future.

The purpose of speculative execution is to prepare computational results and have them ready if they're ever needed. If an application does not need the "speculated" data, the CPU just disregards it.

Google says that Horn discovered a way to use speculative execution to read data from the CPU's memory that should have not been available for user-level apps.

He discovered three flaws that he combined in two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715).

What are Meltdown and Spectre

Google described the two attacks as follows:

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Google says it chose the Meltdown codename because "the bug basically melts security boundaries which are normally enforced by the hardware."

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

"The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time," Google says. "Spectre is harder to exploit than Meltdown, but it is also harder to mitigate."

Detecting Meltdown and Spectre will be hard

Google says that detecting attacks leveraging these two techniques is nigh impossible at the moment.

"The exploitation does not leave any traces in traditional log files," Google said, adding that while possible in theory, antivirus products won't be able to detect such attacks in practice.

Because of this, Google wasn't able to establish if Meltdown or Spectre were ever used in live exploitation scenarios in the wild.

By the time of today's announcement, most OS makers have already implemented patches. Linux, macOS, and Android have already released them, while Microsoft is scheduled to release fixes next week on Patch Tuesday. Cloud providers are scheduled to update their infrastructure this week and the next.

Most CPUs released since 1995 are vulnerable in some way

At the time of writing, Google believes that "every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013)" is affected by Meltdown.

Google says it verified Meltdown only against Intel CPUs, but not ARM and AMD. Nonetheless, Intel has a market share of than 80% on desktops and more than 90% on the laptop and server markets, meaning that a large number of desktops, laptops, and servers are affected.

Meltdown's impact on mobile devices is unknown, but patches are already available for Android.

Google says that they've tested and verified Spectre against Intel, AMD, and ARM processors, and the attack affects desktops, laptops, cloud servers, and smartphones. The attack is also believed to affect almost all CPUs released in recent years.

The bugs are truly as "worse as it gets" when it comes to IT security, as it allows regular user-level code to break through years of hardware-level security boundaries and access data believed to be secure. Users should not skip forthcoming security updates.

Academic researcher papers on both the Meltdown and Spectre vulnerabilities are also available, for technically-inclined users.

UPDATE: Several companies have started releasing patches for the Meltdown and Spectre flaws. You can find a full list here.

Related Articles:

Spectre and Meltdown Hardware Protection Added to Intel's 9th Gen CPUs

The Intel Microcode Boot Loader Protects Older CPUs From Spectre

New PortSmash Hyper-Threading CPU Vuln Can Steal Decryption Keys

WordPress Security Patch Addresses Privacy Leak Bug

Microsoft December 2018 Patch Tuesday Fixes Actively Used Zero-Day Vulnerability