Computer processors have a performance feature called “speculative execution”. When hitting a fork in the code, like an if statement, the processor can decrease processing time by pre-executing code that it thinks it will need to execute later on. When the processor makes a mistake, it rolls back *most* of the side effects of the instructions executed. However, due to the performance cost of rolling back, the cache and branch prediction history are not reverted. There are several ways to exploit this behaviour. The end result being that malicious users can exploit Meltdown and Spectre to steal data which is current processed on the vulnerable machine.
The Firefox team noted that the attacks require measuring precise time intervals in order to exploit them, thus as a short term mitigation they reduced the precision in several time sources. Specifically starting from Firefox v57, the performance.now() function resolution is reduced to 20µs and the SharedArrayBuffer feature is disabled by default. Similarly, the Chromium team also announced that in Chrome v64 the SharedArrayBuffer feature will be disabled by default and the performance.now API will be modified. The Chrome team also suggested the following mitigations that web developers can implement on their own sites:
- Where possible, prevent cookies from entering the renderer process’ memory by using the SameSite and HTTPOnly cookie attributes, and by avoiding reading from document.cookie.
- Make sure your MIME types are correct and specify an X-Content-Type-Options: nosniff header for any URLs with user-specific or sensitive content, to get the most out of cross-site document blocking for users who have Site Isolation enabled.
There are patches against Meltdown for Linux, Windows, and OS X. Based on the kernel patches as well as the browser patches, Meltdown and Spectre can only be fixed by incurring a performance penalty, at least until CPU manufacturers can implement a fix within the CPU architecture. In terms of the risk level, any sensitive data stored in the device memory can be mined. This includes financial data like credit card information and banking data as well as logins and passwords. For more information about these attacks, include proof of concept code, see https://meltdownattack.com/