FAQs on Meltdown and Spectre

Answers to the most common questions about the processor vulnerabilities and attack scenarios Meltdown and Spectre.
FAQs_zu_Meltdown_und_Spectre_-_logo-meltdown-spectre.png

 

  • How can the vulnerabilities be exploited?

  • Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program is able to exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
    Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
  • Meltdown and Spectre? What's this?

  • Meltdown and Spectre are attack scenarios which are able to exploit the hardware vulnerability using malicious code.
    So far, there are three attack scenarios published by Google:
    CVE-2017-5753 (Spectre 1, Bounds Check Bypass)
    CVE-2017-5715 (Spectre 2, Branch Target Injection)
    CVE-2017-5754 (Meltdown, Rogue Data Cache Load)
  • What is the difference between Meltdown and Spectre?

  • Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory.
    Spectre tricks other applications into accessing arbitrary locations in their memory.
    Both attacks use side channels to obtain the information from the accessed memory location.
    For a more technical discussion we refer to the papers
    Meltdown (PDF)
    Spectre (PDF)
  • Which processors are affected?

  • Basically, both current and older processors are vulnerable to at least one of the three attack scenarios.
    Name CVE-Nr. Intel AMD ARM * IBM Power
    Spectre, Var. 1 (Bounds Check Bypass) CVE-2017-5753
    Spectre, Var. 2 (Branch Target Injection) CVE-2017-5715 -
    Meltdown (Rogue Data Cache Load) CVE-2017-5754 - - -

    * affected are Cortex-A8, -A9, -A15, -A17, -A57, -A72, -A73, -A57, -R7, -R8, not the Cortex-A53 in the Raspi
  • Which operating systems are affected?

  • Since this is a hardware gap, all operating systems are affected!
  • Am I affected by the vulnerability?

  • Most certainly, yes.
    You can check this by using the PowerShell.
    • Press the Windows key or click the Start menu and type in PowerShell.
    • Run PowerShell as administrator by right-click.
    • In the opened window, enter Set-ExecutionPolicy -ExecutionPolicy RemoteSigned , press Enter and confirm the execution with "A".
      FAQs_zu_Meltdown_und_Spectre_-_WindowsPowerShell-1a.jpg
    • Type Install-Module SpeculationControl , press Enter and confirm with "Y" and "A". Now the module will be installed via NuGet.
      FAQs_zu_Meltdown_und_Spectre_-_WindowsPowerShell-1b.jpg
    • Type Get-SpeculationControlSettings and execute.
      FAQs_zu_Meltdown_und_Spectre_-_WindowsPowerShell-1c.jpg
     
    For this Microsoft has published a support article::
    Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabil...
  • Will there be an update to the Meltdown / Sprectre vulnerability for MEDION devices?

  • Yes!
    BIOS updates are requested for the current MEDION motherboards.

    → MEDION Desktop Mainboards
    MEDION Notebooks

    * Notes 
    requested The BIOS is requested from our partners
    Testing BIOS available, currently tested by MEDION
  • Which BIOS version do I have?

  • You can read out the installed BIOS version with "MSinfo32":
    • In the Cortana search box type "MSinfo32" and select "System Information"

    Alternatively, you can read information about the mainboard via the command line:
    • Open the Run window using the keyboard shortcut [Win + R].
    • Enter "cmd" and confirm with [OK].
    • Enter the desired commands in the command line window (or copy from here and insert by right mouse click):
    > Motherboard Type: wmic baseboard get product,Manufacturer,version
    > BIOS version: wmic bios get name,version
    > Processor Info: wmic cpu get name
     
  • References and further information:

  • • TU Graz: Overview page of Graz University of Technology, which was instrumental in the discovery of Meltdown ...
    • Intel: Facts About Side Channel Analysis and Intel® Products
    • Google Security Blog: Today's CPU vulnerability: what you need to know
    • Google Project Zero research: Reading privileged memory with a side-channel
    • Google Product Status: Google’s Mitigations Against CPU Speculative Execution Attack Methods
    • Microsoft: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabil...
     
Version History
Revision #
2 of 2
Last update:
‎23.01.2018 07:24
Updated by:
Community Manager
 
Contributors