Almost every processor designed since 1995 is affected by “Speculative Execution Side-Channel Attacks” as per the extensive research was done by the researchers of Google Project Zero – Meltdown & Spectre. The vulnerabilities have been segregated into two categories viz. Meltdown and Spectre.
Intel, ARM and ARM processors are affected by this vulnerability, furthermore, Microsoft has released an out of band update to address these vulnerabilities.
Being a design flaw of processors which allows the malicious process to access the privileged memory areas, the fix/patch would be difficult to mitigate in certain cases. CVE-2017-5754 has been assigned to Meltdown, while CVE-2017-5753 and CVE-2017-5715 have been assigned to Spectre.
- CVE-2017-5715 (branch target injection)
- CVE-2017-5753 (bounds check bypass)
- CVE-2017-5754 (rogue data cache load)
Meltdown and Spectre exploit the “speculative execution” feature in chips which is used by most modern CPUs to optimize performance.
“In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions,” Project Zero says.
Upon implementation of these patches, users may observe a performance drop up to 30% in worst case scenario.
Advisory issued by Microsoft can be accessed Microsoft Advisory, furthermore, users should enable Automatic updates. However, it yet unknown how smartphone device manufactures would be pushing the updates considering for a fact that every vulnerability addressed by Android takes a long time to be made available to the end-users by the device manufacturers. Apple/iOS traditionally have always been very quick in addressing the concerns and have been providing patches to its users at a much faster rate and this time around too, we expect Apple to provide a resolution for these issues.
Apple has issued a statement pertaining to Meltdown / Spectre and iOS / Mac users should expect updates to the Safari Browser in next few days.
As on 6th Jan 2018, we have rolled out the patch to add the Registry Keys , as mandated by Microsoft’s Advisory , through our Global Updates.
Note By Microsoft : Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key:
Key=”HKEY_LOCAL_MACHINE” Subkey=”SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” Value=”cadca5fe-87d3-4b96-b7fb-a231484277cc” Type=”REG_DWORD”