A report from The Register yesterday claimed that Windows and Linux developers were scrambling to fix a “fundamental design flaw in Intel’s processor chips.” The flaw theoretically allows any program to view the layout or contents of protected kernel memory areas, which often contain passwords, login keys, cached files, and other sensitive data. Even a web app could potentially read kernel-protected data.
After this report (and a tweet with sample code) was published, Google’s Project Zero security team came forward with more details. The team said in a blog post that it discovered the vulnerability in May 2017, and quickly notified Intel, AMD, and ARM. Those companies have been working on fixes since then, and the full public details were scheduled to be released on January 9. Now that the cat is out of the bag, Google has released some of its findings early.
Spectre and Meltdown
Google reported three different variants of the flaw – known as CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. The first two are referred to as ‘Spectre,’ and the last is called ‘Meltdown.’ Meltdown, the vulnerability originally reported by The Register, allows hackers to read protected memory. It’s certainly a major problem, but it can be easily fixed by OS updates.
Spectre steals data from the memory of other applications running on a machine. Google said that Meltdown seems to be limited to Intel chips, but Spectre affects almost all modern processors – including those from AMD, ARM, and Intel. I won’t explain the details of Spectre here, because I’m far from a security expert and my explanation probably wouldn’t be accurate, but this article from Wired does a great job of outlining the problem.
Effects for users
At this point you’re probably wondering how these vulnerabilities affect you. Meltdown is the easier vulnerability to fix, and updates are already going out (or about to be released) for Linux, Windows, and macOS. Spectre takes advantage of ‘speculative processing,’ a feature of just almost every modern CPU. Google has published a help page explaining which products and services are affected by Meltdown and Spectre.
The company said exploiting Meltdown and Spectre “has shown to be difficult and limited on the majority of Android devices.” The fixes for ARM chips were part of the Android January 5 security patch level, so Pixel/Nexus users are already safe.
Google notes that the current stable version of Chrome (version 63) already includes a feature called Site Isolation, which forces websites to use different address spaces. This can be turned on by switching the #enable-site-per-process flag (copy and paste that link into Chrome’s address bar) to ‘Enabled.’
Google says the feature may have prformance issues on Android, and it’s not available at all on Chrome for iOS (because Chrome on iOS uses WKWebView to render pages). Chrome 64, which will be released on January 23, will contain more protection features.
Intel-based Chrome OS devices are already patched, as long as they use versions 3.18 or 4.4 of the Linux kernel. You can check which version your Chromebook has by going to chrome://gpu, then scrolling down to ‘Version Information.’ The kernel version is listed next to ‘Operating system,’ as seen below:
Google says that older kernels will be patched a future Chrome OS release. The company also reports that existing attacks to not affect ARM-based Chromebooks, but they will be patched anyway in the near future.
The Google Home, Google WiFi, and the various OnHub routers are not affected by the vulnerabilities. Google’s online sites/infrastructure, including Search, YouTube, Blogger, and other services are already protected. Some of Google’s professional/enterprise tools, like Cloud Datalab and Compute Engine, have been patched but may require an update for end-users.