A recent illustration* by CommitStrip got the point. Some researchers discovered a huge leak in the hardware which is accompaning our daily life. Many products are effected. This is a collection of some reactions and voices until now:
- Jonathan Corbet: KAISER: hiding the kernel from user space
- Intel: Intel Management Engine Critical Firmware Update (Intel-SA-00086)
- Project Zero: Reading privileged memory with a side-channel
- Mozilla Security Blog: Mitigations landing for new class of timing attack
- Linus Torvalds: Comment
- TU Graz: Researchers discover serious security vulnerabilities
- Alan Cox: Advice
- LLVM: Introduce the “retpoline” x86 mitigation technique
- Steinar H. Gunderson: Loose threads about Spectre mitigation
- Anders Fogh: Behind the scenes of a bug collision
- Raspberry Pi: Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown
- Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs
- Amazon: Processor Speculative Execution Research Disclosure
- Greg Kroah-Hartman: Meltdown and Spectre Linux Kernel Status
In addition my laptop has reached the end of life and is no longer supported by the manufacturer and it looks like there are many systems they have the same problem. Many people don’t even know they have a problem. We all can only apply software patches if they’re reaching us. Holders of most smartphones just bought a buggy device. The dream of multi-user-tasking devices got disruptions. Actually, the whole idea of memory protection based on the hardware protection mechanism which separates the kernel space from the userspace.
If you’re still confused by the events which are shaking the IT world so much and do not understand why action is required maybe the XKCD can help.
*) Published with friendly permissions on a non-commercial blog.
Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality.Eben Upton