The Kernel Page Tables Have Turned: Newly Discovered Hardware Vulnerability in Most CPUs: Spectre and Meltdown
Spectres of the Past and Future
Various researchers and Google’s Project Zero have discovered improved methods of side-channel cache timing attacks on processors that use speculative execution. Speculative execution is a performance optimization that occurs when a processor attempts to predict, sometimes inaccurately, which code paths should be run next. Most side effects of an incorrect prediction are properly cleaned up, with the exception of memory cache lines, which have now been proven can be manipulated to leak sensitive and privileged information. Based off of work originally presented at Blackhat 2016 by Anders Fogh and Daniel Gruss, cache based side-channel timing attacks have been known about for at least a year . The introduction of these vulnerabilities creates an entirely new attack class, taking advantage of artifacts left behind after speculative execution.
Speculative Attack Vectors
As a result of highly detailed white papers and source code detailing these vulnerabilities, exploitation will not be restricted to a small subset of vulnerable targets. The sheer number of potentially vulnerable systems will make this a bug that will be seen in the wild for years. It is also cumbersome to protect against Meltdown, requiring kernel updates to implement a complex mitigation called Kernel Page Table Isolation, KPTI (based on KAISER)  for Windows, Mac OS X, and Linux. The related Spectre vulnerability is much harder to defend against, and has a limited number of mitigations, not robust fixes, so far. The only problem for attackers is that all initial attack vectors would require code execution of some type.
Some stop-gap mitigations can be used for Firefox and Chrome in the meantime. In Chrome, you can enable per-tab process isolation, and in Firefox, you can disable high precision timers. This will mitigate the vulnerability until updates can be rolled out. The most complete solution will likely be hardware/firmware based and should be applied as soon as they are available.
The nature of this attack will also focus on targets with shared resources and multiple users, as they give the attacker a way to run code legitimately and contain target processes that might have secrets to spill on the same hardware. In particular, cloud based deployments like AWS and Microsoft Azure are environments that would be highly susceptible to this type of attack. Luckily, rolling updates for these services have already begun, making this vector less viable for larger cloud providers.
Conceivably, a review of older exploits that resulted in code execution can be revisited to see if it is possible to use Meltdown to expose kernel memory and/or bypass KASLR that could further the attacks. A few older exploits which were unable to bypass some of these kernel protections may be revisited in the near future. A bit of a moot point since the machines that have these older exploits are generally not maintained, but for an attacker, one shell is better than none.
To check the patch status of Windows hosts, use the official Microsoft tool found here.
This story is ongoing. Please check back for additional revelations and insights.