Spectre (security vulnerability)

Spectre
A logo created for the vulnerability, featuring a ghost with a branch
CVE identifier(s)CVE-2017-5753 (Spectre-V1),
CVE-2017-5715 (Spectre-V2)
Date discoveredJanuary 2018; 6 years ago (2018-01)
Affected hardwareAll pre-2019 microprocessors that use branch prediction
WebsiteOfficial website Edit this at Wikidata

Spectre is one of the two original transient execution CPU vulnerabilities (the other being Meltdown), which involve microarchitectural side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation.[1][2][3] On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.[4][5][6]

Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 (bounds check bypass, Spectre-V1, Spectre 1.0) and CVE-2017-5715 (branch target injection, Spectre-V2), have been issued.[7] JIT engines used for JavaScript were found to be vulnerable. A website can read data stored in the browser for another website, or the browser's memory itself.[8]

In early 2018, Intel reported that it would redesign its CPUs to help protect against the Spectre and related Meltdown vulnerabilities (especially, Spectre variant 2 and Meltdown, but not Spectre variant 1).[9][10][11][12] On 8 October 2018, Intel was reported to have added hardware and firmware mitigations regarding Spectre and Meltdown vulnerabilities to its latest processors.[13]

  1. ^ Cite error: The named reference SpectrePaper was invoked but never defined (see the help page).
  2. ^ Greenberg, Andy (2018-01-03). "A Critical Intel Flaw Breaks Basic Security for Most Computers". Wired. Archived from the original on 2018-01-03. Retrieved 2018-01-03.
  3. ^ Bright, Peter (2018-01-05). "Meltdown and Spectre: Here's what Intel, Apple, Microsoft, others are doing about it". Ars Technica. Archived from the original on 2018-05-27. Retrieved 2018-01-06.
  4. ^ "Meltdown and Spectre". Graz University of Technology. 2018. Archived from the original on 2018-01-03. Retrieved 2018-01-03.
  5. ^ Metz, Cade; Perlroth, Nicole (2018-01-03). "Researchers Discover Two Major Flaws in the World's Computers". The New York Times. ISSN 0362-4331. Archived from the original on 2018-01-03. Retrieved 2018-01-03.
  6. ^ Warren, Tom (2018-01-03). "Intel's processors have a security bug and the fix could slow down PCs". The Verge. Archived from the original on 2018-01-03. Retrieved 2018-01-03.
  7. ^ Myerson, Terry (2018-01-09). "Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems". Microsoft. Archived from the original on 2018-05-25.
  8. ^ Williams, Chris (2018-01-04). "Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs". The Register. Archived from the original on 2018-05-27.
  9. ^ Warren, Tom (2018-03-15). "Intel Processors are Being Redesigned to Protect Against Spectre – New Hardware Coming Later This Year". The Verge. Archived from the original on 2018-04-21. Retrieved 2018-03-15.
  10. ^ Shankland, Stephen (2018-03-15). "Intel will block Spectre attacks with new chips this year – Cascade Lake processors for servers, coming this year, will fight back against a new class of vulnerabilities, says CEO Brian Krzanich". CNET. Archived from the original on 2018-04-23. Retrieved 2018-03-15.
  11. ^ Coldewey, Devin (2018-03-15). "Intel announces hardware fixes for Spectre and Meltdown on upcoming chips". TechCrunch. Archived from the original on 2018-04-12. Retrieved 2018-03-28.
  12. ^ Cite error: The named reference AT-20180315 was invoked but never defined (see the help page).
  13. ^ Cite error: The named reference AT-20181008 was invoked but never defined (see the help page).