Major flaw in CPUs around how they process data where revealed this week.
From the offical news release.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
These are pretty serious vulnerabilities, and software updates have already been released (or in the pipeline) before the disclosures happened. Its important that users upgrade as soon as possible.
What I like about the publicity are the nice logos that have been developed. I do wonder if these help with getting people to recognise vulnerabilities (alongside branding them, not just a CVE number) and getting people to update. It certainly helps having a nice image for news reporting.
This seems to be a growing trend. Whilst naming bugs and virus has been going on for years, to try and brand security vulnerabilities and give them graphic illustrative, almost cartoonish logos is something quite new.
I like it a lot, I first noticed this with the heartbleed logo a few years back (2014). I think if it helps to increase awareness on tech issues and the need to update and protect your devices, then its a good thing. It’s important to understand that good security is not just about code, the biggest vulnerability is the human, and not all humans are tech focused.
Mean time, the tech focus is on updating software and mitigation (Replacing the CPU with one without the fault is the only ‘fix’). This is not just on personal computers, but servers too. Theres going to be a performance hit, though the suggestions of 30% only seem to apply for very high loads.
For an explanation of the vulnerability, this on the Raspberry Pi blog (one of the few devices not effected.
The more troubling issue is that Spectre can be exploited using Javascript. Mitigations are being released for browsers, mean time there is more information on what web developers can do on the Chrome Developer Blog.