UPDATED: Jan. 5, 2018 4:30 p.m. ET
Publicly disclosed vulnerabilities known as Spectre and Meltdown affect many processors and operating systems in use today. According to reports, affected processors include Intel, AMD, and ARM. Also, according to reports, affected systems include Windows, Linux, Android, Chrome, iOS, and MacOS (including laptops, embedded devices, servers, clients, mobile phones, etc.).
You are encouraged to seek out guidance from the vendors of your respective systems. Many vendors, including Microsoft, have already released patches that significantly alter how their systems handle memory operations in order to protect against these disclosed vulnerabilities. Yet others are continuing to roll out such patches.
In addition, Microsoft has issued client and server guidance for IT professionals to protect against speculative execution side-channel vulnerabilities. (Please note: These pages from Microsoft also have information on a Powershell script that can be executed to confirm protections against these vulnerabilities. Additional mitigation information is also provided.)
In describing the Meltdown vulnerability, researchers have characterized it as follows:
“Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. …Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer.”
Additionally, “Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary.”
On the positive side of things, the exploit code may be used to check whether or not a system is vulnerable. A demonstration of the Spectre attack on a vulnerable machine (a Linux virtual machine running on a Windows 7 platform) is as follows:
This exploit only took a few seconds to execute. Since the system is vulnerable, it outputted the following phrase: “The Magic Words are Squeamish Ossifrage.”
Jan. 5, 2018 4:10 p.m. ET Update:
I just installed the 2018-01 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4056894). Here is the result of the spectre program. As you can see, the problem has been fixed. Again, I am running a virtual Linux machine on a Windows 7 Professional SP1 x64 platform. Thus, the secret message is not read from memory with this patch in place.