Yesterday the IT world was hit by a huge storm with computer companies and tech giants releasing details about major security flaws affecting Intel processing chips manufactured in the past decade. The whole industry has been left reeling in the wake of the announcement as a security flaw in a computers’ most important and deep-seated piece of hardware defeats the fundamental protection that computers promise.
A few weeks ago Linux and windows developer began releasing a series of Beta updates to remedy a critical flaw. Due to a bug in the Intel chips, low-privilege processes are being allowed access to the kernel memory which is a very entitled processor space. Based on quirks and shortcuts implemented by Intel for faster processing, a theoretical attack can allow malicious software to can access to classified and important information from other processes.
On 3rd Jan’17, full details about the attacks based on the flaw were released collectively by researchers at Google, Cyberus, Rambus and various Universities.The two attacks were dubbed ‘Meltdown’ and ‘Spectre’.
“These hardware bugs allow programs to steal data which [is] currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs,” says an excerpt from a website the researchers created.
This attack results in malicious programs gaining access to higher-levels of privileged computer memory parts. This allows code to not only find data in the kernel but also access it’s contents. This attack is limited to Intel chips.
Here the attack steals data from the memory of other applications running on the computer. This attack isn’t Intel specific and researchers say they’ve verified it on AMD and ARM systems as well.
Following the discovery of these flaws, Microsoft and apple have released security patches for their respective Operating systems. Implementation of these routines can however slow down the computers by as much as 30 percent say researchers and such a performance hit could have major drawbacks on large scale computing facilities, read more here. Linux too has released a patch fixing the security hole.
On the cloud computing front, Google says to have updated most of it’s systems and products to protect along the flaws. Microsoft having updated the majority of the Azure cloud infrastructure though some aspects are still to be updated. Amazon too is in a similar situation and says all but single-digit percentage of instances are protected and the remaining will be completed by the next few hours.
On the other hand, Spectre which is more harder to deal with than Meltdown has no clear solution yet.
Intel: Makes a point to emphasize that any sensitive data cannot be deleted or modified by exploiting the flaw. The statement is given below.
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
AMD: Points out their chips are also vulnerable although practically at zero risk. The full statement is as follows.
There is a lot of speculation today regarding a potential security issue related to modern microprocessors and speculative execution. As we typically do when a potential security issue is identified, AMD has been working across our ecosystem to evaluate and respond to the speculative execution attack identified by a security research team to ensure our users are protected.
To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.
The news has clearly shaken the tech world and news regarding future curbing and fixing oh these worrisome flaws will continue to trickle in over time with businesses and consumers working to find a solution.