What changed in 3.3.9 to address Meltdown & Spectre
(Released: January 15, 2018)
-
‘Meltdown’ Fix. This is a kernel vulnerability which is caused by a performance optimisation of modern CPUs, called “speculative execution” which means they access memory and calculate results for code which may be executed soon. Due to a design flaw on Intel and some other (eg 64-bit ARM) CPUs, this speculative execution may be used by malicious software to bypass normal access controls and read private memory from the CPU cache. This allows access to memory belonging to the operating system, containing potentially sensitive data such as encryption keys, files from other programs, etc. This release includes a set of Linux kernel patches known as KPTI which applies stricter access controls, and prevents programs from accessing this operating system memory.
-
Initial ‘Spectre’ Security Fix. A similar family of issues affects almost all CPUs (Intel, AMD and ARM) and can be used to bypass security checks that form part of a program’s normal operation, potentially allowing attackers to access private data from the CPU cache. This presents a greater risk in programs which operate on untrusted data or code received from the Internet, such as web browsers. We’ve updated the Chromium web browser, and the WebKit web engine (used in various apps in the OS), to disable JavaScript features which malicious web pages could use to carry out this kind of attack. Future updates will contain additional fixes for this type of issue, in components across the OS including the browser engines, kernel, firmware and microcode (firmware for the CPU).