On January 2, 2018, a serious design flaw in Intel CPUs was reported that could be exploited by attackers to gain unauthorized access to a computer’s memory. These vulnerabilities, dubbed Meltdown and Spectre, affect nearly all modern processors and can only be mitigated through operating system patches. While these vulnerabilities are significant, their exploitation requires that an attacker gain access to a targeted computer via a prior step.
Due to the nature of these vulnerabilities, AccessData recommends that its users apply operating system patches as soon as they are made available. Patches addressing the Meltdown vulnerability have already been released for Microsoft Windows (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002). Patches for the Spectre vulnerability are not yet available, as the vulnerability is reportedly more difficult to patch, but also more difficult to exploit.
Please also note that operating system vendors have already warned that patching is likely to have a performance impact on affected computers. However, based on these early reports, AccessData does not believe that the impact will be noticeable on most systems.
What are Meltdown and Spectre?
Meltdown and Spectre are verified exploits for certain hardware vulnerabilities in modern processors. These hardware vulnerabilities can allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can use the Meltdown and Spectre exploits to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
The Meltdown and Spectre exploits can be used against personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might even be possible to steal data from other customers.
Am I affected by the Meltdown and Spectre vulnerability?
Almost certainly, YES. These vulnerabilities affect: desktops, laptops, cloud computers, and mobile devices.
More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). Currently, Meltdown has only been verified to affect Intel processors and at the moment, it is unclear whether AMD processors are also affected.
What should I do to protect my AccessData servers and information?
AccessData recommends that its users apply operating system patches as soon as they are made available. Patches addressing the Meltdown vulnerability have already been released for Microsoft Windows (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002).
Is there more technical information about Meltdown and Spectre?
Yes, there is both an academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.