The newest threats to make headlines in the tech industry have arrived, in the form of 2 exploits known as Meltdown and Spectre.
These exploits affect all modern computing processors, which are installed in everything from desktop computers to the new smartphone you just picked up at the store. In fact, you’re likely reading this right now on a device that’s affected. But fear not, device manufacturers are working hard to create and implement updates to patch/mitigate the exploit. Once they have released their patches, our team here at ACE will ensure that they are pushed out and installed on your managed devices.
Meltdown (InfoSec Vulnerability Name: CVE-2017-5754)
Meltdown enables a particular program to sidestep standard protections and access parts of the system memory that it cannot normally get into. This is noteworthy because the memory often contains information that a program is accessing, including passwords and other sensitive information.
Let’s put this into perspective – say you’re working on a document that contains a few cooking recipes you just found online. Your system is suddenly exploited by a hacker using Meltdown. The hackers will now have the ability to access your system’s memory to potentially view data from an accounting program you were working on a few hours ago, which contained sensitive employee data.
Spectre (InfoSec Vulnerability Name: CVE-2017-5715 & CVE-2017-5753)
Spectre tricks programs into performing actions that they would not normally perform if they were functioning normally. Similar to the threat posed by Meltdown, this could include extracting sensitive data from one program, and sending it to a program that can be easily accessed by an untrusted source.
This particular threat uses a computing technique called speculative execution. Speculative execution allows programs to queue up a particular task that the program believes will be needed, before it’s actually needed. This allows programs to increase both speed and productivity. Spectre exploits this technique to trick a program into thinking a speculative execution command issued by a hacker, is actually a legitimate command queued up by the program, and use this exploit to extract sensitive data from the program.