Skip to content

Home Special Announcement Meltdown and Spectre Attacks
Meltdown and Spectre Attacks
Sunday, 07 January 2018 00:00

Description:
"Meltdown" and "Spectre" are attacks that exploit hardware vulnerabilities in modern processors. "Meltdown" allows attackers to read arbitrary kernel memory or arbitrary physical memory of the target machines. "Spectre" allows attackers to trick an application into leaking sensitive information stored in memory.


CVE Numbers:
CVE-2017-5753/CVE-2017-5715/CVE-2017-5754

Systems Affected:
System which implements processor that allows memory reads in out-of-order instructions and runs an unpatched operating system is potentially affected by Meltdown. These systems may be Desktop, Laptop, and Cloud computers.

System which implements processor that performs speculative execution from branch prediction is potentially vulnerable to Spectre. These systems may be Desktops, Laptops, Cloud Servers, and Smartphones.

Prevention:
Users are advised to apply security patches available to all affected devices:

  • Windows: Microsoft has released the security update and issued a guidance to mitigate these vulnerabilities.
  • MacOS: Apple had already fixed most of these security holes in macOS High Sierra 10.13.2 last month, but MacOS 10.13.3 will enhance or complete these mitigations.
  • Linux: Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.
  • Android: Google has released security patches for Pixel/Nexus users as part of the Android January Security Patch Update.  Other users have to wait for their device manufacturers to release a compatible security update.
  • Firefox Web Browser: Mozilla has released Firefox version 57.0.4 which includes mitigations for both Meltdown and Spectre timing attacks. Users are advised to update their installations as soon as possible.
  • Google Chrome Web Browser: Google has scheduled the patches for Meltdown and Spectre exploits on January 23 with the release of Chrome 64, which will include mitigations to protect your desktop and smartphone from web-based attacks.
  • VMware: VMware has released a list of its products affected by the two attacks and security updates for its ESXi, Workstation and Fusion products to patch against Meltdown attacks.


Reference:
https://meltdownattack.com/
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf
https://thehackernews.com/2018/01/meltdown-spectre-patches.html
https://www.kb.cert.org/vuls/id/584653

 

 

 
[YOUR IP : 52.91.90.122: 36618] ...   [YOUR BROWSER: CCBot/2.0 (https://commoncrawl.org/faq/)] ...