Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer.
Security researchers working for Google’s Project Zero group, along with other research groups and academic institutions, have discovered a series of far-ranging security risks involving speculative execution. Speculative execution is one of the cornerstones of high-performance execution on modern CPUs, and is found in essentially all CPU designs more performant than an embedded microcontroller. As a result, essentially every last high-performance CPU on the market or that has been produced in the last couple of decades is vulnerable to one or more of a few different exploit scenarios.
The immediate concern is an exploit being called Meltdown, which primarily affects Intel’s CPUs, but also has been confirmed to affect some ARM CPU designs as well. As a result, Meltdown can be readily used to spy on other processes and sneak out information that should be restricted to the kernel, other programs, or other virtual machines.
Meanwhile a second class of attacks is being called Spectre, and the number of processors at risk for exploitation is even wider. Essentially every high-performance processor ever made – Intel, AMD, ARM, and POWER – is thought to be vulnerable here. Like Meltdown, a Spectre attack abuses speculative execution in order to glean information that should be restricted. What makes Spectre different however is that it’s a less-straightforward but much more insidious attack; whereas Meltdown is based on abusing specific implementations of speculative execution, Spectre can be thought of as a (previously unknown) fundamental risk of speculative execution, one that can now be weaponized.
The solutions are software and microcode patches for users: there’s not much a user can do, but there’s also not much a user has to do. The software and microcode updates to mitigate these exploits will be distributed as software updates, so keeping your systems and mobile devices up-to-date with the latest OS version is the single most important step one can take. As mentioned earlier, everyone has or is in the process of rolling out the necessary software updates to help mitigate this.