More details about Meltdown / Spectre fixes in 3.3.9

What changed in 3.3.9 to address Meltdown & Spectre

(Released: January 15, 2018)

  • ‘Meltdown’ Fix. This is a kernel vulnerability which is caused by a performance optimisation of modern CPUs, called “speculative execution” which means they access memory and calculate results for code which may be executed soon. Due to a design flaw on Intel and some other (eg 64-bit ARM) CPUs, this speculative execution may be used by malicious software to bypass normal access controls and read private memory from the CPU cache. This allows access to memory belonging to the operating system, containing potentially sensitive data such as encryption keys, files from other programs, etc. This release includes a set of Linux kernel patches known as KPTI which applies stricter access controls, and prevents programs from accessing this operating system memory.

  • Initial ‘Spectre’ Security Fix. A similar family of issues affects almost all CPUs (Intel, AMD and ARM) and can be used to bypass security checks that form part of a program’s normal operation, potentially allowing attackers to access private data from the CPU cache. This presents a greater risk in programs which operate on untrusted data or code received from the Internet, such as web browsers. We’ve updated the Chromium web browser, and the WebKit web engine (used in various apps in the OS), to disable JavaScript features which malicious web pages could use to carry out this kind of attack. Future updates will contain additional fixes for this type of issue, in components across the OS including the browser engines, kernel, firmware and microcode (firmware for the CPU).

2 Likes

I try with https://github.com/speed47/spectre-meltdown-checker and here is the result

1 Like

This is correct, other than:

Kernel support Page Table Isolation (PTI): NO

This is immediately followed by:

PTI enabled and active: YES

This is accurate - we’ve applied the Meltdown fixes (KPTI) to the kernel but have not yet included any Spectre (Variant 1/2) fixes in the kernel and microcode. On desktop systems which have typically one user, these kernel Spectre fixes are not as critical as they might be on servers with multiple users or shared hosting platforms. The fixes in the kernel for the Spectre vulnerabilities have not been finalised or released by the kernel community, and patching the kernel does not prevent the vulnerability from being exploited in other apps. The web browser is the most sensitive part of the OS in terms of running code from untrusted sources, which is why we’ve patched Chromium and WebKit first to prevent malicious JavaScript apps from launching Spectre attacks. We’ll apply the kernel and microcode patches once they are finalised, as well as further patches to the browser engines and other components such as the compiler as they become available.

2 Likes