Spectre & Meltdown: Quick Fact Sheet

Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, Google’s Project Zero has provided exploits that work against real software.

So far, there are three known variants of the issue:

To exploit the issue on an unpatched system, an attacker would only need to be able to execute code. This means that shared (cloud) systems are particularly vulnerable, and Mozilla confirmed that it is possible to use similar techniques from Web content to read private information between different origins, so it could be exploited on a vulnerable browser simply by visiting an attacker-controlled site.

More Detail:

Original papers:

Mitigating the issue

Given the seriousness of this issue, the collective response from vendors has been outstanding. Here’s a look at our current status:

Cloud Providers
Operating System Vendors
Antivirus Vendors

Individual Antivirus Vendor responses can be found here. (Thanks @gossithedog!)

Browser Vendors

This documents details a current security event affecting many modern microprocessor designs. Information may change rapidly as the event progresses, and more info or commands added here soon.

This blog first appeared on Jonathan Cran’s blog.


Executive Chairman, Founder and CTO of Bugcrowd.