What are Meltdown And Spectre Flaws/vulnerabilities?
The two serious security flaws discovered by Google’s Project Zero team caused by “Speculative Execution”. Speculative Execution is a technique used by most modern processors to optimize performance.
According to Jann Horn, a Google Project Zero researcher, an attacker can read the sensitive information from memory using speculative execution technique. The sensitive information may include passwords, encryption keys and sensitive information running on user’s machine.
Virtual Machines are also affected
Jann Horn also talks about the test done on a virtual machine. He says that on Virtual machine an attacker could get the host physical memory access and then get read access to all the virtual machines’ memory running on that host.
“As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data.”, Google security blog said. The blog also said that all the Google products had been fixed as soon as they knew about this new class of attack.
Matt Linton (Senior Security Engineer and Pat Parseghian) also said, “We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web”.
In a statement, Apple and Microsoft said that they had released the security patches for desktop computers affected by Meltdown. Microsoft has also confirmed that so far they had no information sugggesting any compromised data due to these flaws. Other security researchers also talked about these flaws. Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown said that the bug was probably one of the worst CPU bugs ever found.
Meltdown, Spectre patches for Linux
Canonical says that the actual date to announce the vulnerabilities was Jan 9 so it was preparing to release updates before the date.
“The original coordinated disclosure date was planned for January 9 and we have been driving toward that date to release fixes. Due to the early disclosure, we are trying to accelerate the release, but we don’t yet have an earlier ETA when the updates will be released. We will release Ubuntu Security Notices when the updates are available”, Ubuntu said.
The security patches for Meltdown and Spectre from Ubuntu are yet to be announced.
Happily, RedHat has released the patches to protect its users against Meltdown. The patches named “RHSA-2018:0013 – Security Advisory” and “RHSA-2018:0012 – Security Advisory” released on 4th, Jan 2018. You can read more about the security patches here and here.
SUSE has released patches for its most recent SUSE Linux Enterprice (SLE) versions. For other SLE versions, the patches will be released shortly.
Debian is tracking the vulnerabilities. They’ve not yet released any patch against the two flaws.
Linux kernel developers had already seen this vulnerability coming and fixed it. Look here. But another issue arises after applying fix is that several software’s performance will drop. For example, PostreSQL database is estimated to experience 17% drop in performance.
Meltdown in Action
Spying on Passwords using Meltdown security flaws