View Single Post
Old 01-17-2018, 08:59 AM   #7
mick
Abiding Student
 
Join Date: May 2016
Posts: 711
The following is from this week's edition of distrowatch.com, the Linux/Unix, open-source distribution website:

"There is a lot of information, and sometimes misinformation, about two processor (CPU) bugs which affect millions of computers and their users. This week we are going to try to clear up some of the details of the CPU vulnerabilities commonly referred to as Spectre and Meltdown.

First, let's talk about what each one is. The two issues are similar in many ways, but are two separate set of bugs. Meltdown is the name of an issue which affects Intel x86 CPUs and some complex ARM CPUs. Meltdown allows a malicious program to read parts of the kernel's memory. This makes the whole operating system vulnerable as some important and private information is kept inside the kernel's memory. At this time it appears as though AMD x86 processors and some of the more simple ARM CPUs are not affected by the Meltdown bug.

Spectre is a little different. The Spectre bugs affect a wider range of hardware processors, including all modern Intel, AMD and ARM CPUs. The Spectre bug allows one malicious program to read the memory of other programs running on the same system. This means one program's password or security keys might be read by another program. Further, it has been shown that Spectre could allow a malicious program to send data to a guest operating system running in a virtual environment. Spectre can be triggered through JavaScript, meaning we can be affected simply by visiting an infected website.

These two issues are getting a lot of attention. Partly because they are very wide-spread, affecting millions of devices. And partly because successfully exploiting either issue can give an attacker a lot of access to the computer's memory and potentially critical information.

Fixing these two issues is complicated. Unfortunately, since both bugs are located in the CPU hardware itself, the problem cannot be truly fixed in software. At best, software like an operating system's kernel can be patched to work around the flaws. In the case of Meltdown, each operating system's kernel (whether it is Linux, macOS, a BSD or Windows) can be patched to work around the CPU flaw. The kernel patch is applied like any other security update by the operating system's package manager. The fixed kernel may cause some applications to run slower, but usually not to a noticeable amount on personal computers.

Spectre is harder to fix. The Spectre flaws represent a whole class of attacks, not just one specific flaw in the processor's hardware. This means working around the issue needs to happen in several places. Web browsers need to be patched to prevent JavaScript on web pages from performing attacks, Google is looking at compiler fixes to steer software away from Spectre flaws. Dealing with Spectre is an on-going issue and will likely involving patching quite a lot of packages.

So what can we do about Meltdown and Spectre? From an end-user's point of view, not much. These problems exist in the CPU and affect processors going back years. Because the issues exist in hardware which cannot simply be patched, we need to wait for software developers to work around the issues. For most of us, the best we can do is apply security updates through our operating system's package manager when fixes become available. Fortunately, most major Linux distributions have already tested and made Meltdown patches available. Some patches to deal with Spectre have been published and more will likely become available in the coming weeks."

https://distrowatch.com/weekly.php?i...180115&mode=67
__________________
mick

Illustrated Glossary
mick is offline   Reply With Quote