Intel Spectre and Meltdown Vulnerabilities - From Bad to Worse

in #security7 years ago

meltdown-spectre.jpg

In January, security researchers announced a series of vulnerabilities that affect every modern microprocessor from Intel, AMD and ARM since 1995. These vulnerabilities were dubbed spectre and meltdown. According to Bruce Scheier's Blog, Schneier on Security, "they have to do with manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets elsewhere on the computer."

The main issue with these vulnerabilities is that they are not normal software vulnerabilities that can be patched with a simple software update. These vulnerabilities stem from speed vs. security trade-offs that the chip manufacturers have made and the vulnerabilities target the way that the chips work. This makes it very difficult if not impossible to roll out fixes for these issues. In addition, even if a fix was readily available, there are countless devices out in the wild that have these chips with no efficient way to automate patching. Think of all of the video cameras, home routers, and other IoT devices that are out there.

Schneier predicted in January that we would be seeing more of these variants, and the new variants have a good possibility of being even nastier.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

Unfortunately, it appears he was correct. Recently, researchers have announced two new related vulnerabilities, variants 3a and 4. I will not be surprised to see more of these variants show up throughout the year as these vulnerabilities become higher profile and we get more security researchers spending time researching and discovering similar vulnerabilities.

There are patches available for these vulnerabilities, so you should take steps to make sure that these patches have been installed on your systems. Bleeping Computer has a great list of advisories, patches and updates related to these vulnerabilities. Don't sleep, and be safe out there!

Sort:  

Congratulations @sendingtime! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of posts published

Click on any badge to view your own Board of Honor on SteemitBoard.

To support your work, I also upvoted your post!
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Do you like SteemitBoard's project? Vote for its witness and get one more award!