National Post (National Edition)
Researchers find major security flaw common to most modern computers.
Report exposes vulnerabilities
Technology companies are working to protect their customers after researchers revealed that major security flaws affecting nearly every modern computer processor could allow hackers to steal stored data — including passwords and other sensitive information — on desktops, laptops, mobile phones and cloud networks around the globe.
The scramble to harden a broad array of devices comes after researchers found two significant vulnerabilities within modern computing hardware, one of which cannot be fully resolved as of yet. Experts say the disclosure of the critical flaws underscores the need to keep up with software updates and security patches and highlights the role independent research plays in prodding tech companies to minimize security weaknesses.
“This is a really, really serious problem,” Vlado Keselj, a professor of computer science at Dalhousie University in Halifax, told The Canadian Press.
“The good news is I think it’s really hard to exploit this vulnerability. But it could just be a matter of time before someone manages to do that.”
Researchers at Google’s Project Zero, academic institutions and private companies published their findings on the vulnerabilities on Wednesday.
The more pervasive flaw of the two, dubbed Spectre, leaves the world’s supply of microprocessors potentially vulnerable to attack, the researchers said. They have verified that the exploit, which breaks down the isolation between different applications, can affect products made by Intel, AMD and Arm. “As it is not easy to fix, it will haunt us for quite some time,” the researchers said, explaining why they chose to call the flaw Spectre.
While hackers will find it harder to take advantage of Spectre, it is also more challenging for computer manufacturers to ward off, the researchers said. There’s no complete software fix against Spectre right now, said Michael Daly, chief technology officer of cybersecurity and special missions at Raytheon, a defence company. The long-term solution may rely on a hardware redesign, he said, with software patches acting to monitor and stop malicious behaviour. In the meantime, criminal actors and nation states could further develop the Spectre vulnerability, making attacks easier to execute.
“Right now it’s kind of tricky to take advantage of it,” Daly said. “But it’s not going to stop there. They will improve on it.”
The other flaw, called Meltdown, affects most Intel processors made after 1995. And while security patches exist for devices running Linux, Windows, and OS X, the researchers said, the fix may slow down their performance by as much as 30 per cent, according to some estimates.
Intel said in a blog post Wednesday that it has begun providing updates to mitigate the risks posed by the exploits. The company also downplayed concerns about slowed performance, noting that for the “average computer user” the impact should not be significant and will lessen over time. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said.
Microsoft said in a statement Thursday that it is not aware of any of these vulnerabilities being used against its customers. “We are in the process of deploying mitigations to cloud services and released security updates on Jan. 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD,” the company said.
Google said in a blog post Wednesday that its popular web browser Chrome, its cloud services and other applications have or will soon be updated to protect against the newly disclosed vulnerabilities.
Amazon said Wednesday in a blog post that “all but a small single-digit per centage of instances” of its EC2 systems, a service under its cloud computing platform, had already been protected, and urged customers to patch their operating systems using available updates.
On Thursday, Intel’s stock dropped more than 2 per cent during intraday trading. But ADM climbed more than 1.3 per cent following the publication of the security flaws.
In a statement Thursday, Arm said that the majority of its processors are not affected by Spectre or Meltdown but confirmed that it has been working with Intel, AMD and other partners to develop defences against the vulnerabilities.
“It’s a positive thing that we have independent verification — researchers looking for vulnerabilities,” said Daly. “Most of the software vendors welcome that interaction as long as you see this disclosure in private first, so you have a chance to fix the bugs.”
Prof. Raphael Khoury of the Université du Québec à Chicoutimi said it’s not unusual for major software or hardware vulnerabilities to go undetected for a long time but it’s good Intel is releasing its fix before damage could be done.
“Maybe the initial patch will have a substantial slowdown and then in the coming weeks they can take their time to produce a better fix,” Khoury said.
“It’s better to initially suffer through this slowdown, at least we’re secure.”