CVE identifier(s) | CVE-2017-5754 |
---|---|
Date discovered | January 2018 |
Affected hardware | Intel x86 microprocessors, IBM Power microprocessors, and some ARM-based microprocessors |
Website | meltdownattack |
Meltdown is one of the two original speculative execution CPU vulnerabilities (the other being Spectre). Meltdown affects Intel x86 microprocessors, IBM Power microprocessors,[1] and some ARM-based microprocessors.[2][3][4] It allows a rogue process to read all memory, even when it is not authorized to do so.
Meltdown affects a wide range of systems. At the time of disclosure (2018), this included all devices running any but the most recent and patched versions of iOS,[5] Linux,[6][7] macOS,[5] or Windows. Accordingly, many servers and cloud services were impacted,[8] as well as a potential majority of smart devices and embedded devices using ARM-based processors (mobile devices, smart TVs, printers and others), including a wide range of networking equipment. A purely software workaround to Meltdown has been assessed as slowing computers between 5 and 30 percent in certain specialized workloads,[9] although companies responsible for software correction of the exploit reported minimal impact from general benchmark testing.[10]
Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754, also known as Rogue Data Cache Load (RDCL),[3] in January 2018. It was disclosed in conjunction with another exploit, Spectre, with which it shares some characteristics. The Meltdown and Spectre vulnerabilities are considered "catastrophic" by security analysts.[11][12][13] The vulnerabilities are so severe that security researchers initially believed the reports to be false.[14]
Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published.[15][16][17][18] Meltdown patches may produce performance loss.[19][20][21] Spectre patches have been reported to significantly reduce performance, especially on older computers; on the then-newest (2017) eighth-generation Core platforms, benchmark performance drops of 2–14 percent have been measured.[22] On 18 January 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported.[23] Nonetheless, according to Dell, "No 'real-world' exploits of these vulnerabilities [i.e., Meltdown and Spectre] have been reported to date [26 January 2018], though researchers have produced proof-of-concepts."[24][25] Dell further recommended "promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources ... following secure password protocols ... [using] security software to help protect against malware (advanced threat prevention software or anti-virus)."[24][25]
On 15 March 2018, Intel reported that it would redesign its CPUs to help protect against the Meltdown and related Spectre vulnerabilities (especially, Meltdown and Spectre-V2, but not Spectre-V1), and expected to release the newly redesigned processors later in 2018.[26][27][28][29] On 8 October 2018, Intel is reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors.[30]
register
was invoked but never defined (see the help page).NYT-20180104
was invoked but never defined (see the help page).FM-20180105
was invoked but never defined (see the help page).PCW-20180104
was invoked but never defined (see the help page).CNET-20180104
was invoked but never defined (see the help page).bbcflaw
was invoked but never defined (see the help page).NYT-20180103
was invoked but never defined (see the help page).TV-20180104
was invoked but never defined (see the help page).ZDN-20180118
was invoked but never defined (see the help page).AT-20181008
was invoked but never defined (see the help page).