Product Advisory: Processor Vulnerabilities Meltdown and Spectre

In January, 2018 a team of security researchers disclosed several software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from many types of computing devices with many different vendors’ processors and operating systems. These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the operating systems running on them.

To take advantage of this vulnerability, an attacker must first be able to run malicious code on the targeted system.

The Project Zero researchers discovered three methods of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.

In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.

There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.

Since this situation is very fluid and solutions are being rolled out every day, we’re including the following links to ensure you have the latest-greatest information on this ever evolving situation.

Should you have any questions on a specific computing solution provided by GMI, please reach out directly to your GMI contacts or send a general inquiry on our contact page.

  • What Wired Magazine had to say as of 1/6/2018 can be found here.
  • Tom’s Hardware pipes in on the subject here.
  • Higher level technical information from WeLiveSecurity can be found here.
  • For Apple products, there’s a decent FAQ at iMore, found here.

Information direct from hardware and software sources:

Hardware vendors

  • You can see Intel‘s official response here (comprehensive set of additional links to OS/hardware providers as well).
  • AMD has responded officially, and the text can be accessed here.
  • Super Micro issued information, which can be found here.
  • NVIDIA GPU information is here.

Software vendors

  • Information from Google on Google products can be found here.
  • Microsoft‘s official stance can be found here.
  • Apple has OSX information posted here.
  • Ubuntu has information on their solution here.
  • Red Hat information is posted here.
  • VMWare is listed technical overview here.

External links are selected and reviewed when the page was included. However, GMI is not responsible for the content of external websites because GMI does not produce them or maintain/update them, cannot change them and they can be changed without our knowledge or agreement. The inclusion of a link to an external website from our site should not be understood to be an endorsement of that website or the information published on them.