Steve Grobman's explanation of the Spectre-Meltdown threats

(PresseBox) ( Unterschleißheim, )
Steve Grobman, CTO McAfee: “The Spectre and Meltdown discoveries are concerning because they could provide cyber criminals a new set of tools to steal passwords and other critical data. They are also concerning because they could impact a large set of the computing devices that we rely on, from PC to phones and back-end services we rely upon, such as servers and the cloud.

Both Spectre and Meltdown techniques are breaching the protections that separate apps and applications from the operating system as well as other applications.  

One way to think about this is that if we consider the analogy of banking. We rely on the bank to perform operations on our behalf. When we request that a payment is made to our electric company, the bank performs many tasks behind the scenes to move funds such as updating financial records and ledgers. 

I don’t have access to the sensitive data the bank manages, nor do I have access to information about any other customer accounts. I am relying on a privileged service to perform an action on my behalf.

This is exactly how operating systems work. Applications request the operating system to perform certain sensitive operations on their behalf when the application can’t perform the action directly. 

These attacks “melt” the barriers between unprivileged applications and the privileged operating system.  In the banking example, it would be like having normal users see all of the “behind the scenes” data that the bank has as well as other banking customer information.

On consumer devices, the attacks can potentially steal passwords, financial data or access to information in another application, there is definite cause for concern. Consumers should immediately apply whatever updates they receive from PC, phone and mobile app providers.

For businesses, there is potentially more risk because information could potentially be stolen from another business or department that is using the same physical device. The positive news on this front is that the major cloud providers behind the devices and apps we use have been proactive in applying the software fixes needed to mitigate much of this risk.”
Für die oben stehenden Pressemitteilungen, das angezeigte Event bzw. das Stellenangebot sowie für das angezeigte Bild- und Tonmaterial ist allein der jeweils angegebene Herausgeber (siehe Firmeninfo bei Klick auf Bild/Meldungstitel oder Firmeninfo rechte Spalte) verantwortlich. Dieser ist in der Regel auch Urheber der Pressetexte sowie der angehängten Bild-, Ton- und Informationsmaterialien.
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an service@pressebox.de.