Nearly a dozen cybersecurity researchers this week reported two potentially serious exploits of vulnerabilities that exist in most modern processors.
Three teams — Jann Horn at Google Project Zero; a team at Cyberus Technology; and a team at Graz University of Technology — independently discovered and reported the Meltdown exploit.
Two teams — Google Project Zero’s Horn; and a team led by Paul Kocher, including representatives from the University of Pennsylvania, University of Maryland, Rambus, University of Adelaide and Data61 — independently discovered and reported the Spectre exploit.
The Meltdown and Spectre exploits leave no traces in traditional log files, but they could used to capture sensitive information on devices, including passwords and even encryption keys.
Because Meltdown and Spectre are difficult, if not impossible, to distinguish from regular applications, traditional antivirus software is unlikely to detect or block them.
The security researchers haven’t been able to determine if either has been used in the wild to date, but they did note that there now are patches for Meltdown for Linux, Windows and OS X. Work to harden software against exploitation by Spectre is ongoing.
“Meltdown” is so named because the malware in essence “melts” security boundaries that hardware normally enforces. The “Spectre” name is based on its root cause, namely the speculative execution.