A very serious security flaw affecting the vast majority of modern CPUs was released to the public a few days ago. The vulnerability had actually been discovered almost simultaneously by 4 different teams of researchers, all of whom contacted Intel about it, only to be told that someone else had already reported it.

Both flaws originate in the fact that modern processors perform so-called ‘speculative execution’ for performance reasons. In short, the processor tries to guess what it will have to do next. By doing so, it loads some data into the cache. If it turns out that the guess was wrong and the execution that the processor guessed it’d have to execute doesn’t come through, that data is discarded. However, the problem arises in the fact that the data is loaded in cache in the first place. This is where the two vulnerabilities come into play.

The Meltdown vulnerability allows, in short, user programs to read kernel data that is leaked by this speculative execution. It is particularly bad for Intel chips, but in theory it could also affect chips by other manufacturers.

Spectre is an even more dangerous vulnerability, as it is more generic. It affects any processor that uses speculative execution, which essentially means any processor manufactured since the mid-1990s. Spectre allows an attacker to steal data from other applications running on the machine. This also applies to virtualized machines. So theoretically, an attacker could gain access to a hypervisor and subsequently steal data from multiple virtual machines in that hypervisor.

The seriousness of these two vulnerabilities cannot be overstated. Essentially every computer running on an affected processor is affected.

So if by now you’re wondering, “What can I do about this?”, the answer is simple: update all of your systems to the latest security patch as soon as possible. This includes both your personal devices and servers.

Not all operating systems have had patches released yet, but security updates for major operating systems are already available, and many more will be released in the coming days.

Facebooktwittergoogle_plusredditpinterestlinkedinmail