After building speculation fueled by media reports (including our own) ahead of a planned coordinated release, researchers at Google, academic institutions, and other companies have revealed a pair of attack classes this afternoon that exploit fundamental operating principles of modern CPUs to allow attackers to arbitrarily read data from the memory of vulnerable systems.
The first, called "Meltdown," breaks down CPU-level protections that prevent unprivileged applications from reading arbitrary system memory, including privileged memory locations corresponding to the operating system's kernel, using what the researchers describe as side effects of out-of-order execution on modern processors.
According to the Meltdown paper, the researchers were able to successfully perform the Meltdown attack using unprivileged code on Intel microarchitectures because of a privilege escalation vulnerability specific to that company's CPUs, but could not successfully execute the full version of the attack on AMD and ARM CPUs.
The researchers warn that every Intel CPU employing out-of-order execution could be vulnerable to the Meltdown attack, which is to say all Intel chips dating back to the Pentium Pro are vulnerable outside of some in-order Atom cores. The principle of kernel page table isolation (KPTI) described in our earlier news post on this topic was not specifically designed to mitigate this attack, according to the researchers, but it does effectively stop an attacker from exploiting this vulnerability.
The researchers urge the adoption of KPTI-style mitigations for Meltdown as soon as possible—something that macOS, Windows, and Linux have done or are in the process of doing.
The second class of attack, called Spectre, apparently allows similar leaking of memory contents through misdirection of certain speculative execution features present in all modern CPUs. The researchers say they have verified the attack on processors from Intel, AMD, and ARM. The researchers further note that Spectre attacks are harder to carry out but also defy easy mitigation.
Intel has not provided information regarding its response to these attacks beyond its initial statement this afternoon, but AMD claims that at worst its CPUs have a "near zero risk of exploitation" in a dedicated page on its site. ARM has provided a detailed list of affected products and potential workarounds on its site.
At the software level, Google has detailed steps that it's taking to limit the scope of these vulnerabilities in its own products. Microsoft has also pushed an out-of-band security update for Windows and plans to aggressively begin rebooting affected Azure virtual machines this afternoon. As always when discussing this type of vulnerability, we suggest keeping all software as up-to-date as possible as soon as possible.