A critical flaw was found in all Intel processors launched in the past decade. The vulnerability can allow an attacker to gain access to protected kernel memory. This chip-level security flaw cannot be fixed with a CPU microcode (software) update. Instead, it requires modification of the OS kernel.
Here are some details.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
Refer to these web sites:
Patches have already been released for Linux and macOS. To resolve the issue, Microsoft has released the following patches for Windows 10:
- KB4056892 (OS Build 16299.192)
- KB4056891 (OS Build 15063.850)
- KB4056890 (OS Build 14393.2007)
- KB4056888 (OS Build 10586.1356)
- KB4056893 (OS Build 10240.17738)
The updates can be downloaded from the Windows Update catalog. For example, use the following link to download the KB4056892 package:
Microsoft made the following statement:
"We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."
An unfortunate consequence of this security vulnerability is that its patches are expected to slow down all devices anywhere between 5 to 30 percent depending on the processor and software being used. Even ARM and AMD CPUs may get performance degradation due to fundamental changes in how the OS kernel works with memory. According to Intel, processors with PCID / ASID (Skylake or newer) will have less performance degradation.
Security fixes for Windows 7 and Windows 8.1 are expected to be released soon.