Earlier this week it was announced that modern CPUs are suffering from two major vulnerabilities being referred to as Meltdown and Spectre. The vulnerabilities will enable attackers to access sensitive information stored on computers.
“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents,” according to a website created about the bugs.
These vulnerabilities impact personal computers, mobile devices and the cloud. Security researchers revealed that Meltdown has been found on Intel processors. It is unclear if it is impacting AMD or ARM processors.
“Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system,” the researchers wrote.
Desktops, laptops, cloud servers, and smartphones are all affected by the Spectre bug. These vulnerabilities affect virtually all computers, including Apple, Windows, and Linux machines.
“Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre,” the researchers wrote.
The vulnerabilities were discovered by security researchers last year and disclosed to companies including Apple and Microsoft, with plans to disclose to the public later.
Apple released a statement saying that there are “no known exploits impacting customers at this time.” The company advised customers to only download software from trusted sources because most of the exploits require a malicious app to be loaded onto the computer. Apple released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to defend against Meltdown and are working on releasing mitigations in Safari to defend against Spectre. Microsoft also released a patch on Wednesday.
Intel has issued several updates to protect against the vulnerability. In a press statement Intel claims that it expects to issue updates for more than 90 percent of its processors products by the end of next week.
“Intel will continue to work with its partners and others to address these issues, and Intel appreciates their support and assistance. Intel encourages computer users worldwide to utilize the automatic update functions of their operating systems and other computer software to ensure their systems are up-to-date,” Intel wrote in the press release.
“These widespread vulnerabilities underscore the importance of having ongoing risk assessment processes in place, as well as well-oiled TVM processes – both as part of a robust information security program,” said Michael Lines, VP of strategy, risk, and compliance at Optiv. “Risk assessment should cover both awareness and management of the issue at the board and C-suite level. These flaws are going to bring a lot of ‘doom and gloom,’ but organizations’ ability to react in an efficient and predictable way is what is most critical. Don’t panic, prepare a rational plan based on patch availability and system sensitivity, execute your plan, and monitor progress.”