Title: CPU Hardware Security Vulnerability Alert


National Cyber Coordination and Command Centre (NC4) is aware of recent revelation of security vulnerabilities in processors that can be exploited to gather sensitive data from computing devices.


Malicious code executed with user privileges can access privilege information, at otherwise protected kernel memory level.

Brief Description

Recent research by security researchers uncovered security vulnerabilities, Meltdown and Spectre, involving kernel memory in Intel, ARM, AMD and other processors. The vulnerabilities could enable malware to steal privileged information stored in the memory location of other running programs such as passwords stored in a password manager or browser, personal photos, emails, instant messages and even business-critical documents.


Meltdown vulnerability relates to execution of vulnerable code with out-of-bound index on CPUs that enables applications to read the entire kernel memory of the machine it executes on, including all physical memory at kernel level. Meltdown does not exploit any software vulnerability. Instead, it exploits side-channel information that is available on most modern processors.

Meltdown subverts CPU memory isolation capabilities and allows unprivileged process to read data mapped in the kernel address space, including the entire physical memory on Linux and OS X, and a large fraction of the physical memory on Windows. Hence, an enormous number of chip-based systems are affected.

KAISER patch can be used to prevent the vulnerabilities from being exploited by Meltdown in Linux. KAISER was initially developed to prevent site-channel attacks targeting KASLR where stronger isolation between kernel and user space is implemented.


Spectre involves speculative execution technique which is used by processor in order to increase performance by guessing likely future execution paths and prematurely executing the instruction. Spectre attack involve inducing a processor to speculatively perform operations which results in leakage of side channel information to the attacker.

Speculative execution requires that the processor make guesses as to the likely outcome of the branch instructions. Better prediction improve performance by increasing the number of speculatively executed operations that can be successfully committed.

This attack is different from Meltdown where Meltdown heavily relies on observation that when an instruction causes a trap and exploit a privilege escalation vulnerability specific to Intel processor due to which speculatively executed instructions can bypass memory protection. Spectre tricks other applications into accessing arbitrary location in their memory. Both techniques use side-channels to obtain the information from accessed memory location.

Spectre includes a bounds check bypass covered in CVE-2017-5753 and branch target injections covered in CVE-2017-5715. Meltdown is a rogue data cache load, which is covered in CVE-2017-5754.

System Affected

Affects all desktops, laptops, servers, cloud computers, mobile phones and embedded devices running on Intel, AMD and ARM processors.


We advise agencies to take the following actions:

  1. Update all your devices operating systems with the latest security patches and firmware updates soon-to-be-released by respective vendors (refer to the CVE links under Reference); and
  2. For any incidents related to this attack, please report to NC4.


  1. CVE-2017-5754
  2. CVE-2017-5753
  3. CVE-2017-5715
  4. USCERT Vulnerability Note VU584653
  6. Meltdown and Spectre - Bugs in modern computer leak password and sensitive data
  7. Reading privileged memory with a side-channel
  8. Kernel-memory-leaking Intel processor design flaw forces Linux Windows redesign


Source : National Cyber Coordination and Command Centre (NC4) Official Website



National Security Council
Prime Minister's Department
Level LG & G, West Wing,
Perdana Putra Building,
Federal Government Administrative Center,
62502 Putrajaya, Malaysia.


Number of Visitors Last Updated
713,302 27 Jun 2024