Leaderboard

With last year's biggest revelations being the entirety of Vault 7 and the Equifax breach, we're starting off this year with a two exploits (though divided into three vulnerabilities) ranging about 20 years of CPUs. Article Dump: Official Meltdown and Spectre Exploit Website Includes Q&A, CVEs, and academic papers Google Project Zero write up on Meltdown and Spectre Written by one of the researchers that found both exploits The Register - Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign Ars Technica - What’s behind the Intel design flaw forcing numerous patches? Meltdown explanation in layman's terms Wired - A Critical Intel Flaw Breaks Basic Security for Most Computers Why Raspberry Pi isn't vulnerable to Spectre or Meltdown Includes layman's explanation of speculative execution Meltdown in Action: Dumping memory Meltdown demo - Spying on passwords Official responses from various companies Intel AMD ARM Microsoft Amazon Web Services Google Android Security Bulletin Linus Torvalds doesn't like Intel A valid complaint given that Intel thinks its ok that malicious actors can only read memory LLVM's work in progress Spectre patch for variant 2 Important information about Microsoft Meltdown CPU security fixes, antivirus vendors and you Basic ways to exploit these vulnerabilities: With Spectre, an attacker can put malicious JS on a website, allowing them to read all browser memory including form data such as passwords, cookies, session tokens, and encryption keys. Similar approach can be used with Java in a sandbox. With Meltdown, an attacker can host software in some cloud environment to read memory form the host machine. Any data hosted on that server can then be read. tl;dr: Two major CPU vulns just went public Exploitable CPUs allow attackers to read memory of processes currently Meltdown is exploitable on Intel CPUs while Spectre is exploitable on Intel, AMD, and ARM CPUs Meltdown is not yet verified to work on AMD or ARM CPUs Spectre is likely to affect all modern multithreading CPUs It is unclear if this exploit has ever been used publicly before now Patches have been put out for the Linux kernel, Windows, OSX, and Android but only for Meltdown so far LLVM have a work in progress patch for one of Spectre's two variants Expect lots of recompiling soon Patches are software to fix a hardware issue. This isn't going to be properly solved until a couple years down the line with a redesigned CPU generation. Performance hits are expected, and further performance hits are expected when the Spectre patches roll out Ballpark 5 to 30% performance decrease for Intel CPUs This primarily affects system calls, not computation, meaning that things like rendering or gaming shouldn't be affected in any substantial way. Expect the largest performance hits on VM software that use Hyper-V or docker containers Likely not an NSA or CIA backdoor because it would still affect their own hardware as much as anyone else As per usual, encrypt your data and use stuff like NoScript. As long as you keep up to date with software patches, the average user shouldn't be alarmed. BUT FUCKING UPDATE YOUR SHIT