Earlier this week, security vulnerabilities; named Spectre and Meltdown, made news headlines around the globe. Several manufacturers have since then have created patches to fix the problems. Some of them have even called these two defects to be not as intimidating as the media is representing.
However, many reports across the web have been considering the problem in various ways; and if you are incapable of understanding what the real problem was; what does it imply for computers across the globe; then Google’s full explanation about Spectre and Meltdown should evacuate out your doubts.
What are Spectre and Meltdown?
Last year, Google’s Project Zero team found severe security flaws caused by “speculative execution;” a method used by most advanced processors (CPUs) to optimise execution.
Independent researchers distinctly recognized and described these vulnerabilities Spectre and Meltdown.
Project Zero reported three variants of this new form of speculative execution attack. Variant 1 and Variant 2 have been cited to as “Spectre.” Variant 3 has been designated to as “Meltdown.” Most vendors are quoting them by Common Vulnerabilities and Exposures; aka “CVE” names, which are an industry standard way of identifying vulnerabilities.
There’s no particular fix for all three attack variants; each needs security individually.
Here’s an Overview of Each Variant:
Variant 2 (CVE-2017-5715), “branch target injection.” This variant may either be settled by a CPU microcode update from the CPU vendor; or also by utilizing software protection called “Retpoline” to binaries where concern about data leakage is present. This variant is currently the grounds for concern around Cloud Virtualisation and also “Hypervisor Bypass” concerns that affect entire systems.
Variant 3 (CVE-2017-5754), “rogue data cache load.” This variant is the basis behind the discussion around “KPTI;” or “Kernel Page Table Isolation.” When an attacker already can run code on a system; they can access memory which they do not have permission to access.
Am Safe From Spectre and Meltdown?
Google’s engineering teams started working to shield customers from these vulnerabilities upon studying of them in June 2017. The company has updated G Suite and also Google Cloud Platform (GCP) to guard against all identified attack vectors. Some customers may bother of not being safe since the company did not ask them to reboot their instance. Google Cloud is architected in a way that allows us to update the setting; while implementing operational continuity for our customers. Via live migration, we can patch our infrastructure without asking customers to reboot their instances.
Moreover, consumers who use their own operating systems with Google Cloud services; should proceed to follow security best manners; also implement security updates to their images just as they would for any other operating system vulnerability.