 So the security team over at project zero has been doing a lot of work and among the things they've discovered is a bug in several of the ways that CPUs do predictive analysis or speculative prediction The giving ideas what speculative prediction if if I start saying ABC DE You would probably go FG and so on in the basic summary of this would be the processor We'll use prediction to try and figure out what needs to be done next in a way to be more efficient. That is a really basic Explanation for a very complicated way this is done because you're talking about so many CPU cycles and thousands of processes that all run in Parallel now running all these processes in parallel Ideally should mean they're all separate and they all don't talk to each other So the tools running my power holding my passwords or programs on my computer don't get to talk to this website for example unless I want them to and That's where this comes in as a pretty scary bug because the concept is this that you would Go in here and run a piece of software Let's say some JavaScript and it would be able to escape that Where all the processors run their own little thing or doing everything in parallel with each other But supposedly not talking to each other Well, they found a way to pull information from one process to the other and of course Somewhere within there is my password. I used to log in which means this is a hell of a security threat now Over at Michael Schwartz. He has a proof of concept of this. He's one of security researchers involved in it So using meltdown the steel passwords in real time Intel bug. He's got all the hashtags in here He's showing that yes using this methodology. He made a little anime to give here. That's really cute I'll leave links to all this in there showing that yes, he was able to make this happen. So Proof of concept. So you start with the idea that could this happen proof of concept right here He's showing it and gives all the details now Vulnerability start with this was found about six months ago And they've been working with the processor companies and the kernel developers and all the people writing software to start mitigating this a while ago And it tick until January here So if you go jump over here project zero you can see that this is reported as an issue back in June of 2017 So this has been around for a little while But the way these projects work the security researchers give time to companies to patch the problems that they find This is a really big problem. So they've given the loss of time to patch now where the big concern is Versus a lot of vulnerabilities is because this isn't a hardware of more in Intel So the variants of the meltdown variant affects more of the Intel processors versus the Specter one affects all the processors So this is a hardware level problem And it gets a little bit deeper Because there's microcode updates and things that need to be updated on the processor to mitigate it the short term We're gonna have software mitigation as in kernel patches and things like that now Microsoft release their patch for Windows 10 on January 3rd and on January 9th You're gonna be able to get the patch for all the other supported operating systems. Sorry that I know of I don't think I've seen Windows XP in this list So if you're so running and a non-supported Microsoft operating system, this is gonna be a problem for you But the patch is available. I tested it We tested on Windows 10 machines and we've been updating it for our clients so far knock on wood had no problems doing the update No safety risk. I've also updated my Linux machines and everything's being patched So it's not it is a big deal. There is a proof of concept out there, but if you're running a single user machine It's less likely for your attack, but that is never reason not to patch So patch as soon as you can and if you work in an IT you're probably already busy patching all of your client stuff because Once that threat is out there It's a matter of time before someone builds a stack of threats on top of it to really make this exploitable and scalable and much More scary than it is so most of the scaredness is because it really could go bad now the other concern of this and This will be inside of I this is actually the kernel all he links this as well And this is from Linus the kernel developer on Linux Linus Torvalds And he's saying something around a 5% performance impact for the isolation What they're having to do is isolate this cool predictive thing that was really efficient and when they isolated more it becomes less efficient so we see Problems with slowdowns and of course we want our CPUs to be as fast as we can and not slow down So we're seeing a 5% slowdown according to Linus for certain workloads and almost no slowdown for others So it's really use case dependent So if you're running a gaming system and everything's running what they refer to as user space and you're using the computer single desktop like mine right Here and it's used for single tasks that don't make a lot of kernel calls. Yes, you don't see much of a slowdown You're good, but this is where things get a little hairy So if this is another kernel developer Willie teru and he says I'm seeing as much as 17% on an enterprise level application Now enterprise applications of his hypervisors and vert a larger scale virtualization systems are used in Azure They're used and AWS are used at the data center level when you you really don't want problems there You don't want one virtual machine escaping to another Virtual machine are being will read memory from it So this is really scary at the data center level and we're seeing much more of a performance impact And that's unfortunate because no one wants to see data centers turn down a notch. That's pretty scary Now, there's some more nail system of the link to these guys as well over at Fronex they're continuously benchmarking and analyzing the x86 PTI issue and more systems and They're gonna probably break some more of this down. These guys are testing experts I'm not so I'm not gonna try and run any benchmarks or pretend I have a setup like they do to do all this major testing so I'll leave a link to them They're doing all this work at all the testing and figuring out, you know What causes the problems on a slowdown and what is not because it's it's kind of a crapshoot These companies can do the patches and fixes and we literally have to benchmark them to see what the differences are before and after the patches So that's still going to be an ongoing process Also, these are the first iterations of patches so there is a chance that someone will go Oh, there's a better way to do it than the way we implemented it But it is the process is security first and then we work on optimization Which unfortunately, I think that's how it's occurred. There wasn't a lot of security first going on here Now the other thing to note is Intel realized that this could be a problem So they actually had a little bit of foresight that there may be a problem And they have some instruction sets and some of their newer chips that kind of allow to help partially mitigate this So the older Intel chips When this is back to speculation on my part and on other security research parts until we can get the test results in That there is going to be more of a slowdown on the older processors A more performance it because it doesn't have facilities to do this now AMD and arm are affected arm is what runs our cell phones. So these are affected We're gonna have to see patches for a lot of cell phones and that goes for Apple and Android as well I'm not as clear or if there's any proof of concepts at this moment for the arm or on cell phones But it's still theory that can be done the difference in the arm as I understand is it's a switch You can flip off an arm and believe this on their documentation I read that you can just turn off speculative read with just take a performance hit But it can be turned off not by you but by Options in the system. So we're gonna have to wait and see how those patches come along and how vulnerable they are This is just a very new story and lots of testing and because of the way it works It's a very complicated issue So we have to tread lightly here on how we do this because if it's as bad as we are worried about and The proof of concept on certain process that we've seen says it's really really bad It really does have a dramatic effect on overall systems the data center and things like that And that's where a lot of concern is seems to be a little bit less risk on the desktop because we have Google coming out With a patch. I believe for chrome on a 23rd and I think Firefox just released one today What they're going to do is so programs running here because it relies on timing issues They're basically going to introduce a little bit of noise in that timing to make it really hard for those programs It might be running to try to escape memory and get in there There's not clear but the antivirus companies look like they're trying to update and look for this This is the unfortunate side of antivirus It's a cat and mouse game where we have to look for a program doing it so we can isolate the program doing it and then Be able to block it We have to be able to identify it so far that I've heard of as of today We haven't seen any of this in the wild Which means we don't see any of these proof of concepts that somebody's security features done and the wild running around stealing all the passwords and you know jumping out of virtual machines and Be making a mess of the internet so so far unless the NSA has been doing it in a very low-key quiet way or some other Three-layer agency we're not aware of it in the wild But it doesn't mean you shouldn't patch because it's a matter of time This goes back to things like want to cry where it was not in a wild We had a patch for it because we found about the vulnerability We had a patch for it But then when the want to cry was put together and they threw all the threats together it went wild on the internet Long after a patch was available so patch now because those who don't patch will probably be seeing going wild on the internet A few months from now someone will put together a big exploit and take advantage of this So like I said the simple thing is get patching make sure everything's up to date But you should be doing that anyways Because that is how a lot of these bugs and things like that get out and are out there You can read all the white peppers like I said leave a link to everything in the description below for the meltdown attack and a spectra attack They gave very detailed Breakdowns of how it how it all works and one side note because I'm going to mention this yes I'm aware, but I don't know the implications of it that one of the Intel I believe he's an engineer sold stock while knowing about this But before public disclosure that's a no-no It's referred to as insider training because they realized the Intel stock would go down and of course the AMD stock went up I don't not going to bother with that. You can look that yourself. I don't know where the laws are on that It seems like it's illegal, but I'm not an expert or an investment person But if you're curious about that yes, I'm aware of it But I'm going to focus on the security side and we've been spending time You making sure all of our systems are patched for our clients and for ourselves Because that's what's really important is making sure that you stay secure already fix con here like subscribe Leave your comments below if you want me to be more active join our forums on the Facebook's Because YouTube comments suck and I'll keep saying they suck until they stop sucking. Thanks