Yesterday, The Register published a report claiming that Windows and Linux developers were trying to fix a “fundamental design flaw in Intel’s processor chips.”
According to the report, the flaw theoretically allow any program to view the layout or contents of protected kernel memory areas, which includes passwords, login keys, cached files, and other sensitive data.
After the report went public, along-with a tweet with sample code, Google’s Project Zero security team came forward with futher details. In a blog post, the team said that it discovered the vulnerability in May last year, and notified Intel, AMD, and ARM. And those companies have been working on fixes since then.
Spectre and Meltdown
Google, in its report, said there are three different variants of the flaw – CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. The first two are called ‘Spectre,’ and the last is referred to as ‘Meltdown.’
Spectre steals data from the memory of other applications running on a machine, while Meltdown allows hackers to read protected memory. It’s certainly a big flaw, but can be fixed by OS updates. Furthermore, Meltdown seems to be limited to Intel chips, but Spectre affects almost all the modern processors.
In its blog post, the company says that exploiting Meltdown and Spectre “has shown to be difficult and limited on the majority of Android devices.” While the fixes for ARM chips were part of the Android January 5 security patch level.
Google further notes that the Chrome version 63 already includes a feature called Site Isolation, which forces websites to use different address spaces. This can be turned on by switching the #enable-site-per-process flag to ‘Enabled.’ Read the help page for further details.
Meanwhile, Microsoft via a patch coming Tuesday, is expected to publicly introduce the necessary changes to its Windows operating system. The changes though were already seeded to beta testers running fast-ring Windows Insider builds in November and December.