CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. Both Spectre and Meltdown take advantage of the ability to extract information from instructions that have executed on a CPU using the CPU cache as a side-channel. These attacks are described in detail by Google Project Zero, the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz) and Anders Fogh. The issues are organized into three variants:

• Variant 1 (CVE-2017-5753, Spectre): Bounds check bypass

• Variant 2 (CVE-2017-5715, also Spectre): Branch target injection

• Variant 3 (CVE-2017-5754, Meltdown): Rogue data cache load, memory access permission check performed after kernel memory read

	Spectre	Meltdown
CPU mechanism for triggering	Speculative execution from branch prediction	Out-of-order execution
Affected platforms	CPUs that perform speculative execution from branch prediction	CPUs that allow memory reads in out-of-order instructions
Difficulty of successful attack	High - Requires tailoring to the software environment of the victim process	Low - Kernel memory access exploit code is mostly universal
Impact	Cross- and intra-process (including kernel) memory disclosure	Kernel memory disclosure to userspace
Software mitigations	Variant 1: Compiler changes. Web browser updates to help prevent exploitation from JavaScript Variant 2: Indirect Branch Restricted Speculation (IBRS). Note: The software mitigation for Spectre variant 2 requires CPU microcode updates	Kernel page-table isolation (KPTI)

An attacker able to execute code with user privileges can achieve various impacts. The Meltdown attack allows reading of kernel memory from userspace. This can result in privilege escalation, disclosure of sensitive information, or it can weaken kernel-level protections, such as KASLR. The Spectre attack can allow inter-process or intra-process data leaks.

To execute code locally, an attacker would require a valid account or independent compromise of the target. Attacks using JavaScript in web browsers are possible. Multi-user and multi-tenant systems (including virtualized and cloud environments) likely face the greatest risk. Systems used to browse arbitrary web sites are also at risk. Single-user systems that do not readily provide a way for attackers to execute code locally face significantly lower risk.

Apply updates

Operating system, CPU microcode updates, and some application updates mitigate these attacks. Note that in many cases, the software fixes for these vulnerabilities will have a negative affect on system performance. Also note that Microsoft Windows systems will no longer receive security updates via Windows Update if they are not running compliant anti-virus software. As with deploying any software updates, be sure to prioritize and test updates as necessary.

Consider CPU Options

Initial reports from the field indicate that overall system performance is impacted by many of the available patches for these vulnerabilities. Depending on the software workflow and the CPU capabilities present, the performance impact of software mitigations may be non-trivial and therefore may become an ongoing operational concern for some organizations. While we recognize that replacing existing CPUs in already deployed systems is not practical, organizations acquiring new systems should evaluate their CPU selection in light of the expected longevity of this vulnerability in available hardware as well as the performance impacts resulting from the various platform-specific software patches. Deployment contexts and performance requirements vary widely, and must be balanced by informed evaluation of the associated security risks. Contact your system vendor to determine if the CPU and operating system combination will experience a performance penalty due to software mitigations for these vulnerabilities.