Here's some information on the issue of 2018 Meltdown & Spectre Exploit Attack
Recently it was discovered that something called speculative execution can get ahead of some security checks, causing the processor to read protected memory before it gets told by the system that it's not actually allowed to. Speculative execution is a system that takes advantage of parallel processing to make CPUs work through code faster, but this oversight unfortunately allows some carefully crafted code to reveal information from kernel memory that should, for security reasons, stay hidden. This is the so called "Meltdown" attack.
The good news is that apparently only certain CPUs (Intel and some ARM chips) are vulnerable to it - at least according to AMD, who have stated their processors are not susceptible to Meltdown attacks due to how their chips are designed. Good news is also that there are already patches out in many browsers as well as operating systems to neutralize this attack vector. The bad news is that this problem exists because of "hardware coding" - how the silicon chip is designed - and the only way to fix it is by patching the software to work around the problem, and this stops the CPU from working at "full speed" in certain tasks. However, for security reasons, there is no way around this - the patches must be installed as soon as possible on anything with critical information and a connection to the Internet.
The other way to exploit speculative execution is called "Spectre" attacks, which is not a specific attack but instead describes a whole group of attacks that use two general ideas to exploit CPU hardware design flaws. The first is called "bounds check bypass", the second is "branch target injection". Spectre attacks don't access kernel memory, but instead they access other users' data in the memory. This is actually more of a bad news because processor manufacturers have not been exactly clear on how vulnerable their particular chips are; Intel's chips definitely are vulnerable, ARM chips as well, but AMD has given a bit more nebulous answer of two Spectre attacks risk for their chips being "zero, and almost-zero", whatever that means.
Spectre attacks are more of a risk in environments where there are multiple users on the same hardware - like servers running virtual machines on the same physical hardware. Spectre vulnerabilities can be used to reveal information that should belong to one user only, to some other user. This is basically a much bigger deal for commercial datacenters than it is for regular private users, but still worth patching for everyone as soon as patches come out (and there will be multiple patches because Spectre is not just a single attack, but rather a generalized vulnerability that can be exploited). For regular users, I think Spectre is not really going to be a major attack vector. It can be used to compromise browser security, but it's more difficult to utilize than Meltdown and it remains a fact that it's much easier to just get people to tell you their usernames and passwords (phishing) than it is to find them out via technical means (hacking).
Right now, patches are out to fix Meltdown vulnerabilities for many browsers (update to latest version!) as well as operating systems. Windows updates containing Meltdown fix are out, but due to some issues with anti-virus programs, they might not get properly deployed. If you can't see January's security roll-up patch, then check if your anti-virus program is compatible. If your program is compatible, you might still have to remove it, then get the Windows patch installed, and then re-install your antivirus program (but only if it's actually compatible).
Du darfst keine neuen Themen in diesem Forum erstellen. Du darfst keine Antworten zu Themen in diesem Forum erstellen. Du darfst deine Beiträge in diesem Forum nicht ändern. Du darfst deine Beiträge in diesem Forum nicht löschen. Du darfst keine Dateianhänge in diesem Forum erstellen.