This Week in Security: Internet Meltdown Over Spectre of CPU Bug

Security researchers from Google Project Zero, Cyberus Technology, and Graz University of Technology have discovered two separate vulnerabilities which have set the tech industry ablaze. The vulnerabilities, aptly named Meltdown and Spectre, affect virtually every modern computer, cloud server, smart phone, tablet and internet of things (IoT) device regardless of operating system.

Meltdown appears to originate back to circa 1995, affects a limited set of hardware and allows malicious applications to bypass hardware set barriers between kernel and user process memory. Spectre on the other hand affects nearly all modern processors regardless of vendor and originates in a logic flaw on error checking of memory.  

When exploited, the vulnerabilities Spectre and Meltdown can be abused by would-be cybercriminals and malicious applications to read sensitive areas of normally protected memory. These areas of memory could contain sensitive data such as personal identifiable information, credit cards, login credentials, key strokes, encryption keys or sensitive operating system information such as normally protected key memory addresses that exploits use to compromise a system. 

An ideal target for these attacks would be multi-tenant environments, shared workstations, or cloud computing architectures in which a malicious user could launch these attacks in their rented account to gather data about other tenants who share the same machine. Due to the nature of this attack, users who shared the same machine would never know the attack was being leveraged against them, as the attack requires no user interaction, nor provides any visual or performance evidence that an attack is being conducted.

To further complicate the issue, it has been demonstrated that these attacks can even be exploited by interpreted languages such as JavaScript, meaning malicious websites could use these side-channel based attacks to collect data about a user without their acknowledgement. Attackers who compromise (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog