Don’t panic about the new ‘Prime’ Meltdown and Spectre CPU exploits
15 February 2018 | 0
The news sounds bad at first blush: Researchers from Nvidia and Princeton University have discovered fresh ways to exploit the Meltdown and Spectre CPU vulnerabilities present in every modern computer processor. But while the new MeltdownPrime and SpectrePrime attacks prove that the initial exploits aren’t necessarily the only way to trigger the vulnerabilities lurking inside chips, everyday computer users shouldn’t freak out about them.
The new vulnerabilities pit the multiple CPU cores inside modern processors against each other and take advantage of the way memory cache access works in multi-core systems. The Register’s synopsis and the research paper have more in-depth technical details if you want them. Like Meltdown and Spectre, a successful attack can extract sensitive information, including passwords.
Now for the good news: The researchers didn’t release exploit code for MeltdownPrime and SpectrePrime. Better yet, the patches already planned for Meltdown and Spectre should protect against these new variants, too. All major operating systems released Meltdown protections as soon as the exploits were announced, Intel is starting to roll out CPU firmware updates after a disastrous first attempt, and industry leaders are tweaking compilers and how code is handled to harden other software against Spectre.
Safeguarding against Meltdown, Spectre, and these new Prime variants isn’t straightforward though, as the processor flaws touch every aspect of your PC. Researchers are starting to see malware probing the vulnerabilities in the wild, so you’ll also want to take additional steps to keep your data safe. Invest in solid data backup and Windows antivirus solutions if you haven’t already.
MeltdownPrime and SpectrePrime might complicate tomorrow’s computing world, though. Intel and AMD are building hardware fixes for the original CPU vulnerabilities into their next generations of processors, but these fresh attacks won’t get stopped by those, the researchers say.
“We believe that microarchitectural mitigation of our Prime variants will require new considerations. Where Meltdown and Spectre arise by polluting the cache during speculation, MeltdownPrime and SpectrePrime are caused by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol.”
Coincidentally, Intel expanded its bug bounty programme yesterday, introducing a special programme for ‘side-channel’ attacks like these that pay up to $250,000 for disclosure of new exploits.
Stay patched but don’t panic.
IDG News Service