"What actually happens with these flaws is different and what you do about them is different", said Paul Kocher, a researcher who was an integral member of a team of researchers at big tech companies like Google and Rambus and in academia that discovered the flaws. ARM Holdings said it's working with Intel, AMD and operating system vendors to address the problem.
"Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory, consequently, applications can access system memory", the Meltdown attack advisory states. Spectre focuses on tricking other applications into accessing locations within their memory.
Technology companies are scrambling to fix serious security flaws affecting computer processors built by Intel and other chipmakers and found in numerous world's personal computers and smartphones. It is also known as CVE-2017-5754 or "rogue data cache load", but has earned the nickname Meltdown because it melts the boundaries which hardware normally enforces.
"Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary", the 16-page research paper on Spectre stated. Researchers say one of the bugs, called Meltdown, affects almost every processor it's made since the mid-1990s.
There is no easy fix for Spectre, which could require redesigning the processors, according to researchers.
"The name [Spectre] is based on the root cause, speculative execution", the meltdown attack advisory stated. The New York Times called Meltdown "a particular problem for the cloud computing services run by the likes of Amazon, Google and Microsoft" while The Verge said, "The CPU catastrophe will hit hardest in the cloud", but in fact cloud services have done more to protect themselves against the newfound flaws than most of the rest of us.
"Deep down, it is a hardware flaw that exists in modern processors with an ARM structure". Hope is growing amongst security researchers for a software fix that removes the threat altogether. Google says Android devices are protected if they have the latest security updates. You can find the same feature in chrome://flags on Android, but the fix does not work on iOS. Intel's press release detailing the Meltdown and Spectre security issues seemed to minimize the security risks and performance degradations that users would see after software patches are deployed. Apple Inc, Microsoft Corp and other software makers have issued patches to protect against the vulnerabilities. To be sure your computer is up to date, open the Start menu, click the gear icon to open Settings, and click on Windows Update.
The upstream Linux kernel has already patched for the issues as well, and multiple Linux distributions including Red Hat, SUSE and Ubuntu have provided updates to their users.
We haven't heard much from Microsoft yet about the flaw, but it's expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday this month, after seeding them to beta testers running fast-ring Windows Insider builds in November and December.