Google Project Zero and other security teams disclosed that there was a serious security vulnerability in Intel and other processor chips, issued a A-level vulnerability risk notice, and reminded that the vulnerability evolved into a A-level cyber security disaster for the cloud and information infrastructure. Relevant vulnerabilities exploit the implementation flaws of the acceleration mechanism worked at chip hardware level to execute side-channel attacks, and indirectly read system memory through CPU cache. Meltdown is named for "melting" the hardware security boundary, and Specter is named for its invisibility.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. The bug basically melts security boundaries which are normally enforced by the hardware. Allow low-privileged user-level applications to "cross-boundary" access system-level memory, resulting in data leakage.
Spectre breaks the isolation between different applications. The root cause is speculative execution. This is a basic optimization technique that processors employ to carry out computations for data they "speculate" may be useful in the future. The purpose of speculative execution is to prepare computational results and have them ready if they're ever needed. In the process, Intel did not well isolate low-privileged applications from accessing kernel memory, which means that attackers could deliver malicious applications to get private data that should be isolated.
This security incident has a wide impact, including:
Processor chip: Intel, ARM, AMD, and other processors may also have the risks.
Operating System: Windows, Linux, macOS, Android
Cloud providers: Amazon, Microsoft, Google, Tencent Cloud, Alibaba Cloud and so on
Various private cloud infrastructures.
Desktop users may encounter attacks that combine this mechanism.
Vulnerabilities lead to information leakage in CPU operational mechanisms. Low-level attackers can exploit vulnerabilities to remotely access user information or locally access higher-level memory data.
In actual attack scenario, the attacker can do below under certain conditions:
- Access the underlying operating data, encryption keys and others in local OS;
- Bypass the isolation protection for Kernel and HyperVisor using the leaked information;
- Access the private information of other members in cloud services;
- Steal user private information such as account, password, content, email address, cookie, etc. via browser.
Meltdown and Specter are both locally executed vulnerabilities. An attacker who wants to exploit this vulnerability should have code execution privilege on the target machine at first, so as long as the user does not introduce untrusted code, it will not affect the user. However, taking into account that common user has week security awareness, it is not impossible to introduce untrustworthy code, so please fix the bug according to your own situation based on the vendor instructions.
Apply KPTI / KAISER patches to split the kernel and user spaces, preventing attackers from reading kernel memory under common user privileges.
Considering that the browser is a common attack surface, it is highly likely that malicious code enters user PC through the browser, so the primary defense for the individual against the vulnerabilities relies on the browser. Here are the defense methods of different browsers:
(1) For Google Chrome users
Turn on Strict Site Isolation in Chrome browser, which reduces the amount of data that can be attacked by side-channels attack, because Chrome renders content for each open website in a separate process. Chrome will fix the vulnerability in late January updates.
(2) For Firefox users
Upgrade Firefox to version 57.0.4: https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
In deepin 15.5 updates on January 24, 2018, Linux Kernel 4.14.12 fixed Meltdown vulnerability.
In Deepin Store updates on January 22, 2018 for deepin 15.5, Firefox was updated to version 57.0.4, and Chrome was updated to version 63.0.3239.132, the first phase of fixing Specter vulnerability.
After updating to Google Chrome to version 63.0.3239.132-1, please enable "Strict site isolation" manually:
Type chrome://flags in the address bar and press Enter.
Scroll down the page and find “Strict site isolation” and press the Enable button.
Restart the Chrome browser.
Please update your system as soon as possible to fix vulnerabilities.
Note: Here are references for security updates: