Security vulnerabilities have been identified in computer chips manufactured by Intel, ARM and AMD. The specific vulnerabilities are as follows:
- The “Meltdown” bug has to do with the ability of running user processes to access protected kernel memory, essentially a privilege escalation attack. The applies to all machines which use Intel X86 processors, MAC, PC and Linux. The amount of data recovered is small, so it’s not clear what such an exploit would actually accomplish.
- The “Spectre” bug breaks down isolation between different applications. Malicious actors exploiting Spectre could trick running processes into leaking information. Spectre has been verified on Intel, AMD and ARM processors.Please note that both vulnerabilities impact personal computers, mobile phones and servers, including both cloud servers and non-cloud servers.
Recommendations:
- Apply operating system (OS) updates as soon as they become available. Microsoft, Apple, the Linux community and others have begun to release updates which address these vulnerabilities and may release further updates as researchers learn more about these vulnerabilities.
- Apply software updates as soon as they become available. Microsoft, Mozilla, Google and others are issuing patches for their web browsers.
- Chrome Users: can turn on the “Site Isolation” feature on their devices to mitigate these flaws. To turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
Look for Strict Site Isolation, then click the box labeled Enable.
Once done, hit Relaunch Now to relaunch your Chrome browser.
- Chrome Users: can turn on the “Site Isolation” feature on their devices to mitigate these flaws. To turn Site Isolation on Windows, Mac, Linux, Chrome OS or Android:
- Apply firmware updates as soon as they become available.
- See List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates
For additional information, please see:
- https://www.us-cert.gov/ncas/alerts/TA18-004A
- https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/
- https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw
- https://www.nytimes.com/2018/01/03/business/computer-flaws.html