Meltdown and Spectre Security Vulnerabilities

Earlier this week, research published by the Project Zero security team at Google brought to public attention a group of security vulnerabilities affecting many modern processors. The vulnerabilities have been given the names Meltdown and Spectre, and could allow an attacker to read arbitrary locations in virtual memory (e.g. read data stored in memory belonging to other user or kernel processes).

These vulnerabilities are notable both due to how the exploits work, as well as their reach. The exploits rely on the speculative instruction execution capabilities that have been present in moderns CPUs for almost 20 years, and as such, nearly all modern processors are affected by at least one of the vulnerabilities in this group.

This Project Zero blog post has a good summary of the vulnerabilities, complete with links to the research papers and websites that have been created for both vulnerability groups: Meltdown and Spectre

Many platform, OS and software vendors are starting to release patches to prevent the vulnerabilities from being exploitable. Unlike a vulnerability that exists in the OS or software layer, this vulnerability exists in the design of how the CPU processes instructions at the lowest level, so we’re seeing patches at many layers in the full stack, from OS to user applications, to prevent the specific conditions which allow this vulnerability to be exploited.