The National Information Assurance Glossary produced by the Committee on National Security Systems defines a vulnerability...
as a "weakness in an information system, system security procedures, internal controls, or implementation that could be exploited." The U.S. Air Force Software Protection Initiative defines a system vulnerability to be the intersection of three elements: "a system susceptibility or flaw, the ability of a threat to gain access to the flaw, and the ability of a threat to exploit the flaw."
Based on these definitions, should the Meltdown and Spectre CPU flaws be classified as vulnerabilities or, as some argue, just features that malicious actors have worked out how to exploit, and does it even matter how we categorize them?
Modern operating systems prevent user applications from reading or writing kernel memory -- which is an area of protected memory -- and ensure that user applications cannot access another application's memory. This memory isolation is critical to enabling devices to securely run multiple applications and cloud-based servers to keep the processes of multiple users discrete on a single machine.
How Meltdown and Spectre work
Meltdown completely breaks any security assumptions based on address space isolation and those security mechanisms, like kernel address space layout randomization, that are based on memory isolation. As a result, Meltdown enables an attacker to obtain a dump of the entire kernel address space, including any mapped physical memory, while Spectre can obtain data stored in the memory of other running programs.
Neither attack relies on software vulnerabilities, and they are both independent of the operating system, as they use side channels to obtain data from memory. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks, while most Intel processors are vulnerable to Meltdown.
A side-channel attack uses information gained from the physical implementation of processing hardware. It may monitor power consumption and electromagnetic emissions while a device is performing cryptographic operations.
However, in the case of Meltdown, CPU data cache timing can be abused to leak information because of how the processors handle speculative execution, which modern chips use to improve performance. Spectre leverages speculative execution slightly differently, as it tricks the processor into speculatively executing instruction sequences that should not execute during correct program execution. This leads to information from within another program's memory address space leaking.
Are they vulnerabilities?
Vulnerabilities aren't deliberately created, and any impact on security is unintentional, but both Meltdown and Spectre potentially enable an attacker to perform unauthorized actions within a computer and, therefore, reduce its information assurance. Even if vendors don't want to refer to Meltdown and Spectre as vulnerabilities, they are fundamental design flaws and they meet accepted definitions of what constitutes a vulnerability. The National Vulnerability Database has assigned the CVE identifiers CVE-2017-5753 and CVE-2017-5715 to Spectre and CVE-2017-5754 to Meltdown.
What is more important to how a flaw or vulnerability is categorized is how it is ranked in terms of severity, as this helps system administrators prioritize mitigation strategies. The National Vulnerability Database provides severity rankings of low, medium and high and CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754 all have an impact base score of 5.6 Medium, with an exploitability score of 1.1.
So far, no Meltdown and Spectre attacks have been seen in the wild, but this may well change, as the affected user base is so large that it is worthwhile for cybercriminals to develop a fully working exploit. Security teams should stay on top of developments and carefully follow advice from major vendors as to the timing and effectiveness of any patches for Meltdown and Spectre they plan to release.