What Are They?
They both exploit critical vulnerabilities in modern day processors. If exploited successfully, a program would be able to read memory of another process or kernel. As you can imagine, this represents a significant security risk. For example privilege escalation, JavaScript running on a victim's browser could potentially steal session cookies, or a service running on a web server could steal the private key of the web server's certificate, and the list goes on.
Since cloud providers (such as AWS, AWS and Google) systems run off affected processors, VM instances running on these servers will also be affected.
Meltdown
Meltdown allows an unprivileged process to access privileged kernel memory. This would allow for privilege escalation. Meltdown affects almost every Intel processor since 1995. It also appears to affect some ARM chips as well.
Working POCs have been developed, so this is a real danger:
Using #Meltdown to steal passwords in real time #intelbug #kaiser #kpti /cc @mlqxyz @lavados @StefanMangard @yuvalyarom https://t.co/gX4CxfL1Ax pic.twitter.com/JbEvQSQraP
— Michael Schwarz (@misc0110) January 4, 2018
Bingo! #kpti #intelbug pic.twitter.com/Dml9g8oywk
— brainsmoke (@brainsmoke) January 3, 2018
Spectre
Spectre, unlike meltdown, does not allow an unprivileged process to access privileged kernel memory. This would most likely to help a process within a sandbox environment to leak data. This affects almost all current day processors including those from Intel, AMD and ARM.
What Do I Need To Do?
As always make sure that you patch your software!. Also you can reduce risk by performing actions such as installing a Ad Blocker on your browser, and disabling JavaScript (this might not be a great viable solution since many sites rely on JavaScript to function).
Cloud providers are ready actively patching their servers, so ensure that you follow any communication from your cloud provider.
Meltdown
Ensure that you install any software and OS updates. Windows is currently releasing an emergency patch. Linux has a fix in the kernel, but this may take a few days to reach all the Linux distos. MacOS has already patched the issue (since version 10.13.2).
However there is a negative side affect of a downgraded performance. Figures are any where from a 5% degradation all the way to 30%. The amount of performance hit will vary based on differing scenarios such as how many threads are being used, what application is running (some applications appear to be more affected than others), OS (these figures where based on Linux, there is suspicion that Windows will be less affected), etc.
Spectre
Unfortunately the only known way to address this issue is via a hardware fix. Thankfully this is harder to exploit than Meltdown.
Additional Reading
There are some good summaries and writeups by others:
- The official site for these 2 vulnerabilities: https://meltdownattack.com/
- A technical blog from Google: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
- A good article from the New York Times: https://mobile.nytimes.com/2018/01/03/business/computer-flaws.html
- A good summary at the end of the article: https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/
- A great summary from Nicole Perloth on Twitter:
1. Apparently I don't know how to thread, so here goes my second attempt at blasting you with critical news on this "Intel Chip problem" which is not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market.
— Nicole Perlroth (@nicoleperlroth) January 3, 2018