<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

The Meltdown Never Ended: Microsoft and Google Find New Meltdown/Spectre Vuln

Jeff Edwards| May 22 2018

| security

meltdown-spectre-new-vuln

Well, the time has come, the latest installment in of our favorite saga is finally upon us, and we can't wait to see where the story is going next. No, I'm not talking about the Solo: A Star Wars Story, I'm talking about the saga that is the Meltdown/Spectre chip flaws, of course.

The latest installment in the years biggest, seemingly never-ending security story is here: researchers at Microsoft and Google have discovered a new, fourth variant of the Meltdown-Spectre security flaws plaguing modern processors. 

First made public in January, the  Meltdown and Spectre exploits affect millions of Intel, AMD, and Arm chips on the market. In fact, nearly all Intel chips produced since 2010 were vulnerable to the initial exploit. The exploits allow applications, malware, and even JavaScript code running in web browsers access to the contents of the OS kernel’s private memory areas, which typically store all types of sensitive information, such as passwords, credentials, and personal information.

Close the door on unwanted intruders for free. Get the FREE WhatsUp PortScanner.

Meltdown can be exploited by normal programs to read the contents of private kernel memory, whereas Spectre allows, among other things, user-mode applications to extract information from other processes running on the same system. Spectre can also be used to extract information from its own processes. Needless to say, this was a big deal. 

Since then, mitigation has been a mess, with failed patches and bricked PCs par for the course. 

Now, researchers at Microsoft and Google have disclosed a new, fourth variant of the exploit (CVE-2018-3639).

New Variant Can be Exploited by JavaScript

This new, fourth variant affects modern processors from Intel, AMD, Arm, and IBM—that is to say, it affects a lot of devices, including millions of mobile devices worldwide. 

The fourth variant uses speculative execution to expose sensitive data through a side channel and could be exploited by scripts running within a program to access other parts of that program. That means javascript running behind the scenes in a browser could potentially be used to access data from other parts of the browser, such as another open tab with your banking information.  

While this seems scary, the vulnerability is actually quite difficult to exploit, and no exploits have been spotted in the wild as of yet. Microsoft says that the risk to users from this bug is "low," and it should be noted that some programs and operating systems are already protected from speculative execution attacks by previous patches meant to mitigate the initial Meltdown/Spectre flaws. Nonetheless, the new vulnerability gives us an idea of just how deep this flaw goes, and I have no doubt this isn't the last we've heard from this flaw, and that we'd be seeing more exploits for out-of-order processors soon. 

 

Topics: security

Leave a Reply

Your email address will not be published. Required fields are marked *

THIS POST WAS WRITTEN BY Jeff Edwards

Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.