Simple web browsing risky
Ordinary web-browsing could be enough to expose data to hackers in the wake of Google’s exposure of a fundamental design flaw in Intel chips and other microprocessors.
Government cyber-security agency Cert NZ has confirmed that simply running websites in multiple tabs in a web browser could be enough to expose confidential information such as internet banking passwords to hackers who learn to exploit the underlying flaw.
Intel says computer firms are making good progress mitigating a design flaw in its processors that has rocked the computer industry and put most of the world’s information at risk from hackers.
However, there are fears the underlying problem, which is not confined to Intel, may not be easily fixable.
To speed up computing, modern computer processors will try to jump ahead to process software routines while they are still awaiting the outcome of another operation or instruction.
What Google’s researchers discovered was that the discarded results of those ‘‘speculative processes’’ can remain unsecured in the processor’s cache, leaving it exposed to malicious software.
Software that could be used to expose that data includes Javascript routines that are commonly run on computers simply as a result of visiting websites.
Cert NZ director Rob Pope confirmed it was ‘‘theoretically possible’’ that if someone was using multiple tabs in a browser, an attacker might be able to use the Spectre vulnerability identified by Google via one of the tabs ‘‘to access information on other open tabs in the browser, for example internet banking information’’.
‘‘Our advice for this scenario is that people make sure that their device and browser are always up-to-date. Many browser manufacturers have already started releasing security updates,’’ he said.
‘‘It’s also important to follow good online security practices all the time to make sure accounts are safe, such as using a different password for every online account, and enabling two-factor authentication.’’
Apple spokeswoman Kristen Young said its Safari browser was not susceptible to the cross tab-threat as it isolated processes running on different tabs as a default.
‘‘Therefore information on tab ‘a’ is not going to be accessible in any way on tab ‘b’.’’
Google’s Chrome browser also supports site isolation, but only if users manually switch it on.
Most of the concerns regarding the speculative processing flaw have centred on a particular exploit based on the same underlying vulnerability which may be effectively specific to Intel processors, dubbed Meltdown.
Intel said on Friday that it and other computer companies had made good progress deploying firmware and operating system updates to mitigate against that threat.
But the United States Computer Emergency Response Team said the fixes could slow down Intel’s processors by up to 30 per cent.
Intel has not responded to requests for comment on whether it may compensate computer owners for any performance degradation. Because of the nature of the flaw, businesses and cloud computing companies are expected to be most affected.
Vice-president Stephen Smith told investors on Thursday that it did not expect any financial fall-out, but Reuters reported that fears the company might be on the hook for compensation were weighing on Intel’s share price.
US technology site Gizmodo said Intel had already been hit with at least three separate class action lawsuits relating to the vulnerability.