A new series of vulnerabilities have been disclosed (CVE-2017-5753/5715/5754) affecting the most popular computer processors, and leaving millions of devices exposed to exploitation. These vulnerabilities allow users/applications with low level privileges to view data in the memory. Data stored in the memory may include passwords, pictures, texts, and any other types. At first these vulnerabilities were thought to only affect INTEL, however other reports indicate that AMD and ARM processors are affected as well.
Meltdown and Spectre are the two trending names associated to these vulnerabilities. Meltdown implies there are no limits between applications and operating system, in this case, exploitation will allow attacker to access memory data across any running application or processes. Spectre exploit forces/tricks programs/applications to dump memory by causing errors then this memory data can be accessed.
Fig 1. Meltdown POC
Fig 2. Spectre POC Modified from * https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6#file-spectre-c-L50
Proof of concept exploitation code suggests, side channel type attack which may require some previous steps before full exploitation (I.E Tricking user to browse page with exploit code, access server transferring code then executing). However this does not minimize the risks of these types of vulnerabilities, as for example a malicious actor could simply create an account in a popular cloud based provider then execute exploit on his/her servers and be able to see others information via memory/application leakage.
It is also very possible that these vulnerabilities will soon be chained to other exploits, enabling them to be executed in a manner that allows more streamlined memory access.
The biggest implication of these vulnerabilities is the number of devices that may be affected. Considering that Intel, AMD, ARM are probably the majority of modern processors, the task of applying mitigations seems very difficult. Some of these devices may not be patchable (Think embedded processors such as Cable Modems, Routers, and many other IoTs), some others may be patched however the current mitigations as of the writing of this blog indicate that more than fixes they are workarounds and these workarounds, come with a price which is reduction in performance and latency. These reductions in performance may be significant enough to discourage patching these devices for some vendors.
Suggested mitigations consists applying patches at the operating system level, as deployed hardware at this point is flawed and unmodifiable. Below a list of detailed technical resources and mitigation information.
Official Vulnerability page with technical POC and Research information
Google Project Zero