Recently, two new security vulnerabilities, dubbed “Meltdown” and “Spectre” were revealed to the public. These vulnerabilities were found by researchers last June of 2017. The vulnerabilities were discovered by researches like Jann Horn, of Google’s Project Zero–as explained in his blog post. Since the discovery of the two vulnerabilities, researchers have been hard at work trying to understand the vulnerabilities and update systems to fix the flaws.
So how have these vulnerabilities surfaced? Well it all has to do with how modern processors perform what is called “speculative execution”. To maximize performance, processors execute instructions before they are given–if they are correct they are followed, and if they are incorrect, they are disregarded. This means that if a processor uses speculative execution correctly it can increase performance and save time. However while speculative execution does not alter program behavior, it does create a deviation in computer behavior–or, a perturbation.
This perturbation can then be detected by measuring how long it takes to perform certain operations. If something can be predicted, then it can be understood and manipulated.
The precise impact of these exploits is that it could allow a potential attacker to execute code on a computer and obtain unauthorized access to memory space.
What is the Meltdown Vulnerability?
Meltdown is a vulnerability that is applicable to basically every Intel chip made in the last decade as well as some higher end ARM designs. Compared to Spectre, Meltdown is easier to execute and it allows any user program to read vast amounts of kernel data.
However, since the Meltdown flaw is very reliant on how memory is shared between user programs and kernel data, a solution could be to simply end the sharing of data between programs and the kernel. The bad news is that this could mean a performance decrease for Intel chips.
What is the Spectre Vulnerability?
Whereas the Meltdown vulnerability is mainly isolated on Intel chips, the Spectre vulnerability is present on Intel, AMD, and high performance ARM designs. The Spectre vulnerability could also be on any other processor on the market that uses speculative execution to operate.
The Spectre vulnerability uses a trick array to read memory within a single process which can then be used to attack virtual machines and various sandboxes. The vulnerability can also be used to cross-process attacks using the processor’s brand predictors (this means that it can control the hardware that uses speculative execution to then control it).
There does seem to be some fixes for the more subtle Spectre vulnerability, but in order to protect against the wide range of complexities within the vulnerability, at risk programs will need patches and updates immediately.
So what are Chip Manufacturers Doing?
The company most affected by these vulnerabilities is Intel, since they are affected by Meltdown and Spectre both. Pretty much every single Intel chip sold in the last 20 years is affected by Meltdown. In fact, that could be one reason that the Intel CEO sold his stock a few months back…
Since the release of the information about these vulnerabilities, Intel has released a whitepaper that explains possible mitigation techniques and future processor changes they plan to make to combat Spectre. Intel claims they are working with AMD and ARM chip makers to solve the issue, but AMD is downplaying the issue claiming that there is a “near zero risk of exploitation” due to architecture differences between Intel and AMD.
Once patches roll out from Intel, critics on Linux boards surmise that machines could see a performance decrease of 5% to 30% due to changes with speculative execution, however Intel implies that users won’t notice “significant” changes.
Other online based companies like Google’s Cloud Platform and Amazon Web services report that they have already updated services to protect against vulnerabilities.
Apple reports that they are affected by the flaws, but that there is no cause for worry since there “are no known exploits impacting customers at this time.” Meltdown fixes have been released while Spectre fixes seem to be coming soon.
What is TorGuard doing to Protect Against Meltdown and Spectre?
TorGuard has taken immediate steps to update and patch all servers within our infrastructure. Customers can rest assured their privacy and anonymity has not been jeopardized. There is no known proof of this being used in the wild, yet.
In the coming hours TorGuard VPN and proxy server locations will reboot in stages as patches take effect. We apologize in advance for any inconvenience this may cause our customers, however the security of our network is top priority.
It is IMPERATIVE that all TorGuard customers immediately update their operating systems (iOS, OSX, Windows, Android, Linux) with the latest security updates as they roll out, and update all web browsers (Chrome, Firefox, Edge) to lessen the potential risk these vulnerabilities pose.