6 January 2018

Researchers Found Two Major Security Flaws In Processors That Affect Most Of The World's Computers

Blake Montgomery

Cybersecurity researchers have discovered two flaws in microprocessors that could grant hackers access to the entire memory stored on practically any computer in the world. On a website created to explain the flaws, researchers wrote that they "don't know" if hackers have exploited the bug. Researchers said they named one flaw "Meltdown" because it "basically melts security boundaries which are normally enforced by the hardware." The name "Spectre" for the second flaw came from the fact that there is no easy fix, which means it will likely "haunt us for quite some time."

Researchers said that the Meltdown flaw could affect nearly all of the microprocessors made by Intel since 1995, which power the vast majority of the world's personal computers and those used by businesses. Researchers said that they successfully tested the exploit on Intel processors made as early as 2011.

"Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer," the 13 researchers wrote. 

A Lenovo ThinkPad with Intel Corp.’s new processor is shown in 2012. 

Spectre could affect personal computers, smartphones, and servers because it's present on Intel processors, as well as those made by AMD and ARM, two of the world's other major processor makers, the researchers warned.

Both flaws are part of "speculative execution," which most processors use to speed up their performance. According to the New York Times, patching them could slow down computers by up to 30%.

In a blog post responding to the research, Intel said the flaws described had "the potential to improperly gather sensitive data from computing devices that are operating as designed," but that the company "believes these exploits do not have the potential to corrupt, modify or delete data."

AMD, another major processor manufacturer, also acknowledged the flaws in a statement.

Researchers believe Spectre is more difficult to exploit than Meltdown, but there is also no known fix.

Major companies have scurried to find solutions.

Apple's recent software updates reportedly protect against the vulnerability, although the company did not immediately respond to a request for comment.

The open source community that oversees the Linux operating system, which powers around 30% of the world's computer servers, has posted a patch for Meltdown, the New York Times reported.

In a blog post for Google, senior security engineer Matt Linton and Pat Parseghian, a technical program manager, published a laundry list of Google products that needed updating to circumvent the flaw. They include: Android, G Suite (Gmail, Calendar, Drive, etc), Chrome, ChromeOS (used in Chromebooks, which are popular in schools), Google Home and Chromecast, and more.

Android users with the latest update are protected, Linton and Parseghian said, and G Suite and Google Home users did not need to take action. But Chrome users need to update their browsers, as do ChromeOS users.

Mozilla also notified its users that it might have been swept up in the attack and said it was updating its Firefox browser to try and circumvent the risk.

Microsoft issued security updates to support versions of Windows Wednesday evening. According to the Verge, older versions will have to wait until next week for updates.

Amazon said in a statement that "all but a small number" of its Amazon Web Services cloud servers "are already protected," and that the remainder would be updated and shielded by Wednesday night. It advised customers to update on their end as well.

You can watch Meltdown in action here:

No comments: