Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, Google’s Project Zero has provided exploits that work against real software.
So far, there are three known variants of the issue:
- Variant 1: bounds check bypass (CVE-2017-5753)
- Variant 2: branch target injection (CVE-2017-5715)
- Variant 3: rogue data cache load (CVE-2017-5754)
To exploit the issue on an unpatched system, an attacker would only need to be able to execute code. This means that shared (cloud) systems are particularly vulnerable, and Mozilla confirmed that it is possible to use similar techniques from Web content to read private information between different origins, so it could be exploited on a vulnerable browser simply by visiting an attacker-controlled site.
- Speculation that (presumably) led to early release: [PythonSweetness]
- High-level overview from Project Zero
- More detailed information̉ from Project Zero
Mitigating the issue
Given the seriousness of this issue, the collective response from vendors has been outstanding. Here’s a look at our current status:
- Amazon Web Services: Mitigated.
- Microsoft Azure: Mitigated.
- Google Compute Engine: Mitigated.
- Rackspace: Not Yet Mitigated (2018-01-04 11AM PST).
Operating System Vendors
- Android: Update available!
- Linux: Some updates available! In some cases, you’ll need to manually update the kernel. Distribution specific patches are still coming together with some already available through normal update channels. New mitigations are still being discussedat time of writing.
- OSX: Update available! (Detail)
- Chrome-OS: Update available!
- Windows 7: Update available!
- Windows 8.1, 2012R2: Update available!
- Windows 10: Update available!
- Apple Safari: No update available (2018-01-04 11AM PST).
- Google Chrome: Update available on the the 23rd. (Immediate workaround)
- Microsoft Edge: Update available!
- Mozilla Firefox: Update available!
This documents details a current security event affecting many modern microprocessor designs. Information may change rapidly as the event progresses, and more info or commands added here soon.
This blog first appeared on Jonathan Cran's blog.