Vulnerabilities – Meltdown and Spectre

Vulnerabilities potentially impacting all major processor vendors were disclosed recently by Google Project Zero. These vulnerabilities have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715).

Overview

Meltdown allows any application to access all system memory, including memory allocated for the kernel. Mitigation for this vulnerability will require operating system patches and potentially firmware updates. Patches for this vulnerability may have a performance impact on systems. So far, only Intel chips have been shown to be vulnerable.

Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. This vulnerability may require changes to processor architecture in order to fully mitigate. According to Google Project Zero, this vulnerability impacts Intel, AMD, and ARM chips.

Mitigations

Microsoft has issued a patch for Windows 10, while other versions of Windows are expected to be patched on the traditional Patch Tuesday on January 9, 2018. Microsoft has also issued a guidance document for mitigations on client devices.

Note that the patches released by Microsoft may be incompatible with certain antivirus software.

MacOS 10.13.2 mitigates some of the disclosed vulnerabilities, but MacOS 10.13.3 will enhance or complete these mitigations.