TL;DR: 2 vulnerabilities in CPU performance optimization that allow locally-running programs to access either system memory or other applications’ memory. One affects all Intel processors, the other affects all Intel, AMD and ARM – so basically everything from your phone to the cloud server you connect to.
Patches are rolling out for some attack vectors, basically having software do the security checks the hardware is supposed to. But it’s both a performance hit and whack-a-mole.
Meltdown and Spectre
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre…
The main target is a technique called speculative execution, where the CPU uses idle resources to predict the most likely followup instruction and do it ahead of time. If the next instruction comes in and it was right, great, it’s already done! If not, no big deal, it wasn’t doing anything else at the time, so it just rolls back the actions and moves on to what it’s been asked to do.
But it turns out that it doesn’t always roll back completely, and under the right circumstances it can leave traces in memory that another program can read.
More fun: As ~~Brion~~ Brooke points out, JavaScript can be used for timing attacks *in the browser*, so vendors are disabling high-precision timing and shared buffers in javascript.
