Tech companies around the world are reeling and rushing to provide fixes for two microprocessor flaws that have put nearly all the computing devices in the world at risk from hackers.
The flaws — dubbed Meltdown and Spectre — are in chips made by Intel and other major suppliers. They can allow hackers to steal data from the memory of running apps, including password managers, browsers and emails. The flaws were first disclosed by British technology news site the Register on Tuesday and made public Wednesday by the researchers who discovered them.
Because the flaws date back more than two decades and Intel chips are ubiquitous among computers, cloud servers and mobile devices, they affect nearly all computing devices in operation and servers that store memories in the cloud.
Users have little choice but to wait for new software patches from makers of their devices, the researchers said. Technology companies quickly began issuing fixes for the flaws this week, or notifying consumers about their timelines for doing so.
Meltdown is exclusively on Intel chips and allows hackers to bypass the hardware barrier between running applications and the computer’s memory, thereby allowing hackers access to the latter, the researchers said.
Spectre affects chips made by Intel, AMD and ARM. It could enable hackers to trick applications into handing over secret information, according to the researchers.
Daniel Gruss, an Austria-based researcher who discovered Meltdown, described it as “probably one of the worst CPU bugs ever found,” in an interview with Reuters. Gruss also said Meltdown is the more serious short-term issue and easier to fix than Spectre. Gruss was part of a team of researchers led by Google Project Zero, which seeks to expose vulnerabilities and fix them before hackers exploit them. Although Google Project Zero spearheaded the effort, most of the researchers involved are independent of Google.
The effects of the flaws have rippled through every major computer and cloud server company, including Apple, Microsoft, Google and Amazon.
While the hacking potential through Meltdown and Spectre is enormous, there have been no recorded malicious exploits, according to researchers. However, now that Meltdown and Spectre are public knowledge, the chances may increase.
Affected companies on Wednesday rushed out statements and fixes for the flaws, offering hope that the issue may be mitigated.
Microsoft rushed out an automatic Windows update on Wednesday. But some Windows users may not be able to get the update due to third-party antivirus applications, according to Microsoft.
“If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor,” said Microsoft in a blog post.
Google, whose Android phones and Chrome browser are vulnerable, announced it will have updated software versions with security patches this month. New Android software will roll out Jan. 5, and Google Chrome will update Jan. 23, according to Google. The company also alerted users to update their operating systems.
Mozilla, which operates the Firefox browser, announced it will also include updates in its latest version.
Amazon, which runs the popular cloud service Amazon Web Services, announced on Wednesday a single percentage of servers were previously protected and that the rest would be patched later in the day. Like Google, Amazon also asked customers to patch the operating systems they use.
Apple has not publicly announced any patches yet, but researchers have said Apple was working on a patch for macOS against Meltdown.
Intel, ARM and AMD bore the brunt of the criticism after the news broke. AMD told multiple media outlets that “due to difference in AMD’s architecture” from the other two, the company believed there was “near zero risk to AMD processors at this time.”
In its initial statement Wednesday, Intel said this wasn’t solely an Intel issue.
“Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect,” said Intel. “Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.”
On Thursday, Intel said it has already issued updates for the majority of processor products introduced within the past five years. Intel expects to issue updates for 90 percent of processor products introduced within the same time period by the end of the week.
However, pushback against Intel has been swift. Intel’s shares plunged 3.5 percent on Wednesday and continued to sink Thursday. The decline followed news reports that Intel CEO Brian Krzanich sold a huge chunk of his stock in the company during November — after the company was aware of both Meltdown and Spectre.
The researchers said they alerted Intel, AMD and ARM last June about both Meltdown and Spectre.
While most of the issued patches will fix Meltdown, researchers expressed concerns about how to fix Spectre. Because Spectre’s root issue is derived from how microprocessors have been designed by multiple companies since the 1990s, Spectre may haunt computing devices for years to come.
“We’ve really screwed up,” said Paul Kocher, one of the researchers who discovered Spectre, to the New York Times. “There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”
Published at Thu, 04 Jan 2018 20:48:19 +0000