Many people have pinged me asking for a dead-simple explanation of the differences (and similarities) between these two attacks. Here’s an extremely basic summary:
- Meltdown applies to Intel and Apple processors and takes advantage of a privilege escalation flaw allowing kernel memory access from user space, meaning any secret a computer is protecting (even in the kernel) is available to any user able to execute code on the system.
- Spectre applies to Intel, Apple, ARM, and AMD processors and works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space.
The patching and mitigation story will continue to evolve, especially on the browser side since the web is based on client-side JavaScript execution.
There are software patches for both vulnerabilities, but they’re more straightforward for Meltdown and more nuanced and difficult with Spectre.
The major risk consideration here is whether someone is able to run code on your machine.
This means regular systems with multiple accounts, virtualization environments, cloud, and yes—even just browsing the internet on a single-user system. Your risk will be different depending on the hardware platforms used, the operating systems running on those platforms, and your various patch levels at any given time, but the basic concept for these two attacks is that you should consider secrets to be attackable any place you’re allowing someone else’s code to run on an affected system.
Many are saying an attacker needs a local account to take advantage of these, but it’s more accurate to say that they need to be able to execute code, which can happen a number of ways (including ads and JavaScript).
TL;DR: Both Meltdown and Spectre allow low-privilege users who execute code on your system to read sensitive information from memory via Speculative Execution. The difference is that Meltdown takes advantage of a specific Intel privilege escalation issue to do this, while Spectre uses the combination of Speculative Execution and Branch Prediction. Both issues can be addressed with software patches, but this is more effective for Meltdown than Spectre.
Notes
- The Meltdown Paper.
- The Spectre Paper.
- If you see any flaws in this simplification, please let me know so that I can correct them.
- Jan 4, 2018 — Updated explanation to include JavaScript execution through the browser.
- Here’s Apple’s response to the issue. Short version is that people on iOS 11.2, tvOS 11.2, and macOS 10.13.2 are somewhat protected, but you should still expect additional patches (especially browser related).
- Here’s Google’s response.
- Here’s Microsoft’s response. And a second one by them.
- Here’s Amazon’s response.
- A security researcher is maintaining an updated list of interactions with AV software.
