On Wednesday, January 3, 2018, security researchers announced a series of security vulnerabilities that affect most of the world’s microprocessors (CPUs), going back about 20 years. Unsurprisingly, it’s caused a major firestorm in the media, and although I’m a little tongue-tied on this one – as some might have guessed – it’s well worth it to provide a high level overview and link repository.
Summarily, the vulnerability means that due to the way modern microprocessors schedule and execute instructions, it possible for attacker with access to one process running on the computer to steal access secret data belonging to another process on the same computer. Not trivial, yet possible, and actual proven. The attacks have been tagged Spectre and Meltdown.
As top security blogger, Bruce Schneier, put it,
This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer — maybe one running in a browser window from that sketchy site you’re visiting, or as a result of a phishing attack — can steal data elsewhere on your machine.
Most microprocessor vendors and Operating system vendors have released patches, and most major cloud providers have patched their systems by now.
To learn more about this, you can visit any of the links below…
- Main website
- Research Papers: Spectre and Meltdown
- List of Spectre and Meltdown Vulnerability Advisories, Patches, & Updates
- Information from Google’s Project Zero security team
- A response from Intel (other microprocessor vendors are affected)
- Analysis from Bruce Schneier
If you enjoyed this post, you can subscribe to receive my weekly newsletter via email.