On Wednesday, December 3, reports surfaced about a vulnerability in Intel CPU’s, allowing attackers, through manipulating someone to run code on a machine, to read system memory. This mechanism could be used, for example, to harvest secrets directly from memory. If you are a security-aware person using a password manager, this could grab those passwords, hypothetically. And emails. And everything else.

The vulnerability is dubbed “meltdown” after an initial, frustration inspired handle of “f*ckwit”. It breaks the isolation between the protected OS and the application layers. Its companion vulnerability “spectre” breaks isolation between applications. It’s not only Intel, it’s pretty much all other architectures too, although ARM is just vulnerable to the “spectre” one. “Cumulative speculation” is mentioned. What does this mean?

DNS guru Bert Hubert described the issue as follows in a Dutch blog post: “You’re cooking a meal and the recipe contains a condition: if there’s candy in the secret cupboard, then put butter in the pan. Because you read the recipe, you can check the secret cupboard, locate the candy. You now know the existence of a stick of butter and you can grab it.”

So, what’s the implication? And what’s relevant?

  1. Yes, pretty much every device it vulnerable, PC, Apple, Android. The one you’re reading this on, too.
  2. An attacker still needs to social engineer you to execute their attack payload.
  3. No, you can’t do anything about it. It’s a hardware flaw, even if you could replace your CPU, CPUs without the flaw don’t exist.
  4. Nice people at Microsoft, the Linux community, Android and Apple are coming to the rescue. They are as we speak testing OS workarounds. They will circumvent this issue at the cost of a performance degradation. These workarounds will release as an OS update as soon as today.
  5. So, update. In the coming weeks, tap the “search for update” button a bit more often than you usually did. In all fairness that’s all you can do. There seems to be some issues with some anti-virus apps and some updates, and we’re monitoring that space.
  6. The Catch 22 is you should be aware that pressing update might impact your performance. 5 to 30 percent is reported. If you’re running databases, cloud environments, real-time solutions, you might be between a rock and a hard place, and be forced to choose between performance & security. That said, many think the performance impact might not be too bad.
  7. And finally, just a few weeks ago we’ve had KRACK, another big vulnerability in WIFI security, you can’t do anything about, and hardware flaw ROCA. You might have noticed the world hasn’t stopped turning and your mobile phone is still working. There are 100s of thousands of unknown vulnerabilities because they sit in stuff that works and no one has ever discovered them. As researchers are working around the clock, they’re bound to discover more of them. As OS developers are frustrated to be forced to work around hardware flaws we feel for them, but the important thing is they are discovered and mitigated.

Yes, it’s worrying, arguably big and risky, it’s messy, but unless you’re a kernel security architect, you can’t do anything except worry about what the future holds. And our advice on this is: don’t. It’s a bumpy road we’re on, but the journey is rewarding.


Vendor statements:












Papers en CVE data:

Meltdown Academic Paper – https://meltdownattack.com/meltdown.pdf

Spectre Academic Paper – https://spectreattack.com/spectre.pdf

Google Project Zero – https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html

Cert Advisory (VU#584653) – http://www.kb.cert.org/vuls/id/584653

CVE-2017-5753 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753

CVE-2017-5715 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715

CVE-2017-5754 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-575