A new vulnerability has been discovered inside nearly all processors created in the last 20 years. The vulnerabilities named Meltdown and Spectre were independently discovered recently. The newly discovered vulnerabilities can allow an attacker to infiltrate the privileged memory of a processor by exploiting the way processes run in parallel. This can result in an attacker being able to steal just about any of the data on the system, including passwords and keystrokes.
The bug essentially melts security boundaries down, which are normally enforced by the hardware to protect it. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory.
The root cause of Spectre is speculative execution, which how the name came about. It is also not easy to fix, so it will haunt our systems for a while. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
Microsoft quickly released a patch for the bug for Windows 10 devices, but this will only fix part of the problem. Browsers will also need to release security updates. Google has said they will be releasing an update with the included patch by the end of the month. Firefox and Microsoft’s browsers (Internet Explorer and Edge) have already released updates. No word on when Safari may see a patch for the vulnerability.
You will also want to check with your device manufacturer to update the BIOS on your computer.
Installing these updates will only currently cover protection against Meltdown, which poses a more immediate threat to systems. Spectre is still being researched, and currently appears to be much more difficult to exploit than Meltdown. The fix for Spectre will also be more complicated, as The New York Times reports that Spectre fixes will require a redesign of the processor and hardware changes. We may be dealing with the aftermath of Spectre for a long time. Who is ready to call for an exorcism?