On 2018-01-04 at 12:22, Curt wrote: > https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-fladdws/U > > > TL;DR > > Windows, Linux, and macOS have all received security patches that > significantly alter how the operating systems handle virtual memory > in order to protect against a hitherto undisclosed flaw. > ... > In the immediate term, it looks like most systems will shortly have > patches for Meltdown. At least for Linux and Windows, these patches > allow end-users to opt out if they would prefer. The most vulnerable > users are probably cloud service providers; Meltdown and Spectre can > both in principle be used to further attacks against hypervisors, > making it easier for malicious users to break out of their virtual > machines. > ... > For typical desktop users, the risk is arguably less significant. > While both Meltdown and Spectre can have value in expanding the scope > of an existing flaw, neither one is sufficient on its own to, for > example, break out of a Web browser. > > Apparent moral of story for CPU: don't speculate (but it's > significantly *slower*). https://spectreattack.com/ has the best and most concise summary I've seen yet, as well as links to various other places for in-depth details (whitepapers and blog posts). The situation as I understand it is basically that: * Meltdown affects all Intel CPUs released since about 1995, except for Itanium models and pre-2013 Atom models. * Spectre appears to affect Intel, AMD, and ARM chips alike, going back who-knows-how-far. * Meltdown can be mitigated by security patches which people are rushing out, but doing so has a performance cost, anywhere from 5% to 30% depending on various factors. * Spectre can only be fixed (or even meaningfully mitigated) per-program, and doing so isn't necessarily trivial. * Meltdown is relatively easy and straightforward to trigger, once you know how. * Spectre is harder to trigger and/or exploit, but still possible. * Nobody knows whether either of these is being exploited in the wild. Also, https://techreport.com/news/33026/researchers-reveal-meltdown-and-spectre-cpu-exploits?post=1064251 is what looks to me like an "as near to layman's terms as we're likely to get" explanation of how the Spectre exploit actually works. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
Attachment:
signature.asc
Description: OpenPGP digital signature