Skip to main content

Meltdown and Spectre exploits impact Intel, ARM, and AMD processors

Security researchers have disclosed two new exploits that can be executed against modern processors. Dubbed Meltdown and Spectre, the exploits use similar methods to impact processors from Intel, AMD, and ARM across PCs, mobile devices, and in the cloud. The researchers explain:

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre are both distinct attacks, but they both allow attackers to break isolation between applications to access information.

Perhaps the most distinct difference, however, is the specific processors affected by each attack.

Meltdown, the researchers say, has only been assessed to impact Intel processors. However, the range of potentially affected processors is vast.

More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

Spectre, on the other hand, appears to have a much wider reach. According to researchers, nearly every type of device is affected by Spectre; it has been verified to work across Intel, AMD, and ARM processors. Spectre is harder to exploit than Meltdown, but researchers caution that it is also harder to guard against.

The attacks also work against cloud servers, which could leave customer data vulnerable.

Fortunately, at least some fixes are on the way. There are patches against Meltdown for Linux, Windows, and macOS, and Microsoft is currently rolling out an emergency patch for the issue. Spectre is not an easy fix, it seems, and the researchers say that there is ongoing work to "harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre."

You can read more on Spectre and Meltdown, including more technical details, in the researchers' full report.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

32 Comments
  • MELTDOWN does NOT apply to AMD cpus. And ZERO working exploits of Spectre for AMD.  AMD even REMOVE changes by Intel for AMD cpus in Linux. https://lkml.org/lkml/2018/1/3/425
  • Try reading, you might learn something.
  • No, he is correct. Meltdown only affects Intel CPUs and Spectre has 3 possible attack vectors, 2 of which are invalid on AMD CPUs but all 3 are valid for Intel CPUs. Perhaps you should read a few security tech sites to get the facts and not 4th hand news on other websites that don't really know what's happening and what the implications are.
  • LOL
  • AMD is currently unaffected for the most part. The information you are fed is misguiding, just as Intel's response was meant to confuse everyone. This does not mean AMD is in the clear as AMD also uses speculative execution, but AMD has a very different architecture and is not proven to be vulnerable to the exploits that compromised Intel.
  • [Hard] is reporting that AMD is not affected. Also: https://www.cnbc.com/2018/01/03/amd-rebukes-intel-says-flaw-poses-near-z... So there goes that. 
  • Near Zero != 0
  • true ... but is a far cry from the proven attack vector on intel chips that can be realized through a simple java script even via web ...... now THAT is a whopper ...
  • Well, uncomfirmed vs very confirmed at this time. That should tell you something. 
  • Good grief... that means there are insane amount of devices that are vulnerable to the Spectre exploit.... and there are people who say you don't need a firewall or an anti virus solution lol... smh...
  • So to be clear, AMD is not free of this defect.  No one releasing out of order execution CPU's is clear.  There are two exploits, Meltdown and Spectre.  As Meltdown is currenlty implemented it impacts Intel and most modern ARM CPU's, with two additional variants working on ARM as well.  Spectre works on all of them, as well as on IBM POWER CPU's (according to Red Hat). The fact that Meltdown currently does not work on AMD does not mean it cannot work on AMD, only that the methods proven to work on Intel do not work without at least some changes on AMD.  There is ongoing work there and AMD is still working on validating their level of vulnerability and has made no definitive statement on that topic yet. This is really bad, it is only a matter of time until Spectre is widely exploitable as well and the fixes are likely to impact system performance measurably for quite some time.  There is no easy hardware fix either, this is not a flaw it is a design decision made in 1993 with the original Pentium that was widely adopted across the industry due to its tremendous performance advantages.  At the time no one concieved of attacks o this nature and the speed of the hardware simply made such attacks infeasible. I am not looking forward to the near and possibly medium term future while we try as an industry to sort this out.
  • AMD does not use speculative execution and is not vulnerable to Meltdown 
  • Okay... I should watch Spectre 007 later...
  • Please don't put Intel & AMD in the same bracket as AMD reamined unaffected in most cases. Even for the Variant 1 which mught have some impact on Ryzen CPUs can be patched through Software/OS & firmware updates. AMD isn't as vulnarable as Intel.  
  • Exactly this and the general media response is quite alarming. I've been a fan of Intel's chips for years but I have to concede that on the facts presented, Intel chips have serious vulnerabilities whereas the risk for AMD is very small. Basically it shows that Intel put performance above all when it came to their microarchitecture but AMD sought to design a more complete chip. I have a new found respect for AMD now. What people aren't highlighting so much is a potential performance issue with an Intel/nVidia combo (and only that combo) due to the way NV cards talk to the CPU. It might turn out to be negligible but it'll be interesting to see how it goes.
  • FAKE NEWS to prevent the U.S. from making CPU's great again. LoL   :-D
  • Sounds like a couple of exploits belonging to nsa...
  • Is it also formed by North Korea??
  • Translation of most comments:  [every person that has an AMD processor] "AMD IS NOT AFFECTED!!!" [every person that has an Intel processor] "AMD IS ALSO AFFECTED!!!!"
  • Agree. Meltdown not work on AMD.
  • Amd released statement saying there not affected https://www.google.co.uk/amp/s/www.theverge.com/platform/amp/2018/1/3/16...
  • No system can be exploited...until it can be.  In other words, this is just the latest we know about.  It's almost useless to debate over whether this processor or that can be affected by this exploit or that.  I think just as important is to know under WHAT CONDITIONS the exploit can take place.  I'm not talking about the technical aspects of how it happens---most users won't have any comprehension.  What are the PRACTICAL conditions?  What USER BEHAVIORS or ACTIONS will invite such an attack?  That's what needs to be clearly and simply communicated to the masses.  And that's NOT what I'm seeing from any of the various tech reports.  THAT is a fail.
  • I read it off the independent or guardian which explained the exploit, that is enough, we do not need to know how to do it as this will encourage things, in principle Intel = your screwed, amd =be wary as this time your safe. Other processers are dependant so check with arm chip maker
  • What he's saying is to inform the average non techy public of what not to do that may leave them more vulnerable.
  • Absolutely right
  • Something interesting I just found out about this: Google's security group were the ones who discovered this problem. According to articles, Intel was informed of this problem on June 1, 2017. That is 180 days ago, and we found out about it just a couple days ago. In the past, when Google discovered a security flaw in Microsoft products, Google decided that Microsoft was not fixing problems fast enough, and so they released details of the flaw to the public. Google has had security flaws in their own products that they have refused to release patches for, leaving their own products and users vulnerable. Why is it that Google did not release information about this flaw to push manufacturers to fix the problem? This is the usual Google trying to gain customers through sleazy tactics. Google was vulnerable, too, so they kept it quiet. But if this were a Windows only problem, you know they would have been announcing it back in June of last year.
  • AMD is not susceptible to Meltdown AMD does not use speculative execution 
  • On a slightly different note, how does this affect the world of smart/IOT devices, like the Amazon Echo, Google Home, Hive, Ring, etc. Are their devices running Arm based CPUs, and how vulnerable are they?
  • Is my Windows Phone affected?
  • yes it is - to a limited extent by spectre. ms released a statement that they will deliver a patch shortly for all supported phones, so watch for upates for your phone.
  • and again another clickbaity headline that is completely wrong in every single aspect ... sub par journalism as expected on windowscentral. instead of delivering actual information in the headline it is all about spreading unwarranted panic to those who are not deeply involved in the whole topic. it is disgusting how you guys convolute topics and mislead people.
  • Care to clarify then? Or provide a link to a more accurate article?