If this is a hardware flaw or a software flaw is hard to tell since the firmware is closed source but all computers and phones and the IOT are affected.
How it works:
All computers have a CPU and to make things smoother the CPU anticipates what you are going to do.
Lets say you type an URL then the CPU anticipates that you will press ENTER -it saves time and that is normally a good thing (over-simplified but works as an example).
The communication between your OS and the CPU is negotiated by the Kernel of your OS (Windows Linux/Android or IOS) and it is in this process where the time is saved.
This anticipation can be exploited though because if you decide to cancel your operation then your computer has already pressed ENTER for you and needs to nullify that operation.
Before the computer gets around to that some bad guys can exploit that memory and find out where your passwords are handled and reveal them.
..That is bad - and it is called Meltdown!
In the case of Spectre the attacker will not see the remains of your operations but can get there by executing a series of speculative operations (advanced guesswork).
Meltdown affects most CPU's built after 2003 - and that is a lot!
Now Meltdown can be patched and has been in Windows Linux and iOS but this can affect your Computer to run 30% slower.
Intel states that the negative effect will be much less in most cases.
Spectre may well haunt us for a longer time but all the top dogs are working on it....
Clouds like Amazon EC2, Microsoft Azure, and Google Compute Engine; are affected but if you have listened to any advice here you would never put any mission critical info "out there". Which clouds are affected depends on the technology they use.
Which cloud providers are affected by Meltdown?
Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.
Linus Torvalds says it diplomatically:
I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed.
.. and that really means that all these mitigation patches should be
written with "not all CPU's are crap" in mind.
Or is Intel basically saying "we are committed to selling you shit
forever and ever, and never fixing anything"?
I am patched - which I checked like this:
Code: Select all
dmesg | grep isolation
0.000000] Kernel/User page tables isolation: enabled
Code: Select all
zcat /proc/config.gz | grep -i page_table