What Is Meltdown And Spectre Security Flaws? A breach in INTEL AMD ARM Processor.

Meltdown and Spectre security flaws in INTEL AMD ARM put All device at Risk.Security researchers on Wednesday disclosed a set of security flaws that they said could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel, Advanced Micro Devices, and ARM Holdings.

What is Meltdown And Spectre Security Flaws

Last year, Google’s Project Zero team discovered serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance.

The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage Meltdown and Spectre of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

These Meltdown and Spectre vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.

Methods and Types of Attack

To take advantage of this Meltdown And Spectre an attacker first must be able to run malicious code on the targeted system.

The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.

In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.

The defect affects the so-called kernel memory on Intel x86 processor chips manufactured over the past decade, The Register reported citing unnamed programmers, allowing users of normal applications to discern the layout or content of protected areas on the chips.

That could make it possible for hackers to exploit other security bugs or, worse, expose secure information such as passwords, thus compromising individual computers or even entire server networks.

Two Vulnerability target specific processor

The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory and steal passwords. The second, called Spectre, affects chips from Intel, AMD, and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.

How to Secure Yourself From Meltdown And Spectre Security Flaws

The researchers said Apple and Microsoft had patches ready for users for desktop computers affected by Meltdown Spectre. Microsoft said in a statement it had no information suggesting any compromised data but was “releasing security updates today to protect Windows customers against vulnerabilities.” Apple did not immediately return requests for comment.

Intel has begun providing software and firmware updates to mitigate these exploits,” Intel said in a statement. “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

AMD chips are also affected by at least one variant of a set of security flaws but that it can be patched with a software update. The company said it believes there “is near zero risk to AMD products at this time.

Comment from Security Researcher

Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it probably one of the worst CPU bugs ever found” in an interview with Reuters.

Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches. Spectre, the broader bug that applies to nearly all computing devices.