Manish explains how the recently announced Spectre hardware vulnerability works, making the case that it’s one of the worst security vulnerabilities ever announced.
Early this year (2018), two major hardware vulnerabilities were announced – Spectre and Meltdown. Both these vulnerabilities rely on side effects from speculative processor execution to leak sensitive data that the attacker would normally not be able to see.
There have been numerous videos and articles explaining what Spectre is at the high-level and proclaiming it one of the worst hardware vulnerabilities. Spectre is particularly bad because it can be exploited remotely, via JavaScript, and can potentially access data that is in your browser’s memory – things like cookies and passwords.
What makes Spectre even worse is that despite mitigation strategies, there is no good fix short of removing speculation altogether. Unfortunately, this is a non-starter because of the severe performance penalty from such a drastic move.
It appears that mitigation strategies in the browser and other programs that execute untrusted code can reduce the attack surface and mitigate the impact of this bug, but a true hardware-level fix that retains the performance of modern processors remains elusive at the time of this writing.
The only good news is that systems that don’t run untrusted code aren’t directly vulnerable, though it is always possible to leverage this (or any other) vulnerability in conjunction with others to attack affected systems.
In this video, Unbounded Systems co-founder Manish Vachharajani briefly explains how Spectre works, why it is such a terrible bug, and why a real fix isn’t immediately on the horizon.
Join the conversation
Your email address will not be published. Required fields are marked *
0 Comments