Meltdown and Spectre Vulnerabilities

The new year starts with a fairly nasty security disclosure

Bugs were discovered last year on most modern CPU and could be used to gain information from system parts of the memory (Meltdown) or from arbitrary locations in userspace memory (Spectre). Now don't panic dear hitchhikers, security patches are rolling out for most operating systems, and you should probably install them.

Here are the currently known vulnerabilities1:

The official disclosure page (both Meltdown and Spectre) lead to the same page) is pretty much complete with technical researches available for download. Linux distributions will possibly start backporting kernel page table isolation (KPTI) feature2 to mitigate the most serious bits.

Major operating systems manufacturers have produced security advisories and provided additional details:

For those interested in more in dept information, there are already great articles available on python sweetness and KAISER and about KPTI). Another article by Jonathan Corbet covers each vulnerability with detailed examples.

Cloud computing can make this issue more serious with exploitation of Meltdown potentially leaking host reserved data to a guest virtual machine. Google is saying that the infrastructure that they are responsible for under the shared responsibility model implements the latest security fixes already. Thanks to their live migration capacity, Google will not force a maintenance on its customers and no virtual machines will have to be restarted (Reference here). Amazon has not updated their advisory after January 3 14:45 PST (link), but there might be a need to restart paravirtual Xen based EC2 instances to get the latest security fixes onto the underlying hosts. Microsoft Azure says that the majority of the infrastructure was updated in the past weeks to address the vulnerability (link).

Along with the disclosure is a video demonstrating the Meltdown attack on a Linux machine:

Obviously there is a lot of drama and finger pointing going on right now since this disclosure has an impact on the entire industry. Just look at the responses from Intel and AMD.

Canonical has produced a good summary of the vulnerabilities: here.

Additional references: