{"id":26786,"date":"2018-01-24T10:53:03","date_gmt":"2018-01-24T02:53:03","guid":{"rendered":"https:\/\/www.deepin.org\/?p=26786"},"modified":"2018-03-09T16:29:40","modified_gmt":"2018-03-09T08:29:40","slug":"deepin-security-update-fixed-meltdown-and-specter-security-vulnerability-cve-2017-5754-1","status":"publish","type":"post","link":"https:\/\/www.deepin.org.cn\/en\/deepin-security-update-fixed-meltdown-and-specter-security-vulnerability-cve-2017-5754-1\/","title":{"rendered":"Deepin Security Updates\u2014\u2014Fixed Meltdown and Specter Security Vulnerability (CVE-2017-5754)(1)"},"content":{"rendered":"\"en\"<\/p>\n

Google Project Zero and other security teams disclosed\u00a0that there was a serious security vulnerability in Intel and other processor chips, issued a A-level vulnerability risk notice, and reminded that the vulnerability evolved into a A-level cyber security disaster for the cloud and information infrastructure. Relevant vulnerabilities exploit the implementation flaws of the acceleration mechanism worked at chip hardware level to execute side-channel attacks, and indirectly read system memory through CPU cache. Meltdown is named for \"melting\" the hardware security boundary, and Specter is named for its invisibility.<\/p>\n

Vulnerability introduction<\/h1>\n

There are two methods tp attack Intel processors: Meltdown and Specter. Meltdown refers to CVE-2017-5754<\/a> and Specter refers to CVE-2017-5753 <\/a>and CVE-2017-5715<\/a>.<\/p>\n

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. The bug basically melts security boundaries which are normally enforced by the hardware. Allow low-privileged user-level applications to \"cross-boundary\" access system-level memory, resulting in data leakage.<\/p>\n

Spectre\u00a0breaks the isolation between different applications. The root cause is speculative execution. This is a basic optimization technique that processors employ to carry out computations for data they \"speculate\" may be useful in the future. The purpose of speculative execution is to prepare computational results and have them ready if they're ever needed. In the process, Intel did not well isolate low-privileged applications from accessing kernel memory, which means that attackers could deliver malicious applications to get private data that should be isolated.<\/p>\n

Influence<\/h1>\n

This security incident has a wide impact,\u00a0 including:
\nProcessor chip: Intel, ARM, AMD, and other processors may also have the risks.
\nOperating System: Windows, Linux, macOS, Android
\nCloud providers: Amazon, Microsoft, Google, Tencent Cloud, Alibaba Cloud and so on
\nVarious private cloud infrastructures.
\nDesktop users may encounter attacks that combine this mechanism.<\/p>\n

Harmless<\/h1>\n

Vulnerabilities lead to information leakage in CPU operational mechanisms. Low-level attackers can exploit vulnerabilities to remotely access user information or locally access higher-level memory data.<\/p>\n

In actual attack scenario, the attacker can do below under certain conditions:<\/p>\n