Meltdown and Spectre. (Speed at the price of insecurity?)
Three vulnerabilities in processor chips were publicly disclosed this week (New York Times). One is "Meltdown;" the other two are referred to as "Spectre." They could enable side channel attacks in affected systems. According to Google, whose Project Zero played a prominent role in the research and disclosure, the issues are rooted in speculative execution, which enables the threading that lends processes the smooth speed users expect. Meltdown (CVE-2017-5754) permits ordinary applications to evade security boundaries usually enforced at chip level and access kernel memory. This vulnerability was first reported in Intel chips. Spectre (CVE-2017-5753 and CVE-2017-5715) is the more widespread and potentially dangerous of the two. It enables an attacker to bypass isolation among different applications (Bleeping Computer).
The bugs came to full public attention this week (New York Times). Google had quietly disclosed them to affected vendors some months ago, but working on fixes inevitably involved bringing in a large number of developers in a number of companies, and that inevitably meant that the news was leaking out. A growing conviction that leaks couldn't be contained apparently prompted public disclosure. It also explains the quick if still incomplete preparation of the fixes we saw this week (SANS Internet Storm Center).
Initial reports this week said only Intel chips were affected, but Intel objects to being singled out, and says its products remain the most secure available (CRN). Some competing manufacturers initially said their processors were unaffected, but their optimism was unfounded: most recent processors share the Spectre vulnerabilities, which have been identified in ARM and AMD chips as well (Silicon Valley Business Journal).
Many experts advise that patched devices will run noticeably more slowly. Cloud users should experience similar slowdowns as cloud vendors mitigate the risk of exploitation (CRN). One point worth noting is that there are a lot of ARM chips in Internet-of-things devices. If those are susceptible to Spectre, as they seem to be, that means there will be a lot of small, scattered, difficult-to-the-point-of-impossibility-to-patch IoT devices out there.