Security Bulletin: Meltdown and Spectre Vulnerabilities
Learn about Meltdown and Spectre Vulnerabilities and what you should do.
Gary Glover SVP, Assessments CISSP, CISA, QSA, PA-QSA |
Meltdown and Spectre are possible due to design flaws in several modern CPU architectures. These bugs were first presented in scientific papers, and then announced publicly on the Google Project Zero blog on January 3, 2018.
According to researchers, Meltdown can "melt" security boundaries by breaking the mechanism that keeps applications from accessing arbitrary system memory—which could include things like passwords, card numbers, etc. Spectre works by breaking the isolation between different applications allowing an attacker to trick error-free programs, which follow best practices, into leaking their secrets.
What should you do?
Install updates and patches as they come from your OS and CPU manufacturers. Companies including Microsoft, Intel, and Google have been working around the clock to create patches for these vulnerabilities. Downloadable tools are being developed by various CPU manufacturers to detect the Meltdown and Spectre vulnerabilities; watch for them.
You can find a full list of links to the official security advisories of affected manufacturers and companies here.
We don't yet know if Meltdown or Spectre have been or are being abused in the wild, but now would be a good time to check for patches or updates available from your OS and CPU manufacturers.
You can find a full list of links to the official security advisories of affected manufacturers and companies here.
We don't yet know if Meltdown or Spectre have been or are being abused in the wild, but now would be a good time to check for patches or updates available from your OS and CPU manufacturers.
Learn more about Data Security Consulting.
Who discovered Spectre and Meltdown?
Spectre was independently discovered and reported by two people:- Jann Horn (Google Project Zero)
- Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61).
Meltdown was independently discovered and reported by three teams:
- Jann Horn (Google Project Zero)
- Werner Haas, Thomas Prescher (Cyberus Technology)
- Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology).
For press inquiries, please call 801-995-6516.