Security flaws found in microprocessors
Technology companies are working to protect their customers after researchers revealed that major security flaws affecting nearly every modern computer processor could allow hackers to steal stored data — including passwords and other sensitive information — on desktops, laptops, mobile phones and cloud networks around the globe.
The scramble to harden a broad array of devices comes after researchers found two significant vulnerabilities within modern computing hardware, one of which cannot be fully resolved as of yet. Experts say the disclosure of the critical flaws underscores the need to keep up with software updates and security patches and highlights the role independent research plays in prodding tech companies to minimize security weaknesses.
Researchers at Google’s Project Zero, academic institutions and private companies published their findings on the vulnerabilities on Wednesday.
The more pervasive flaw of the two, dubbed Spectre, leaves the world’s supply of microprocessors potentially vulnerable to attack, the researchers said. They have verified that the exploit, which breaks down the isolation between different applications, can affect products made by Intel, AMD and Arm. “As it is not easy to fix, it will haunt us for quite some time,” the researchers said, explaining why they chose to call the flaw Spectre.
While hackers will find it harder to take advantage of Spectre, it is also more challenging for computer manufacturers to ward off, the researchers said. There’s no complete software fix against Spectre right now, said Michael Daly, chief technology officer of cybersecurity and special missions at Raytheon, a defense company. The long-term solution may rely on a hardware redesign, he said, with software patches acting to monitor and stop malicious behavior. In the meantime, criminal actors and nation states could further develop the Spectre vulnerability, making attacks easier to execute.
“Right now it’s kind of tricky to take advantage of it,” Daly said. “But it’s not going to stop there. They will improve on it.”
The other flaw, called Meltdown, affects most Intel processors made after 1995. And while security patches exist for devices running Linux, Windows, and OS X, the researchers said, the fix may slow down their performance by as much as 30 percent, according to some estimates.
Intel said in a blog post Wednesday that it has begun providing updates to mitigate the risks posed by the exploits. The company also downplayed concerns about slowed performance, noting that for the “average computer user” the impact should not be significant and will lessen over time. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said.
Microsoft said in a statement Thursday that it is not aware of any of these vulnerabilities being used against its customers. “We are in the process of deploying mitigations to cloud services and released security updates on January 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD,” the company said.
Google said in a blog post Wednesday that its popular web browser Chrome, its cloud services and other applications have or will soon be updated to protect against the newly disclosed vulnerabilities.
Amazon said Wednesday in a blog post that “all but a small single-digit percentage of instances” of its EC2 systems, a service under its cloud computing platform, had already been protected, and urged customers to patch their operating systems using available updates.
In a statement Thursday, Arm said that the majority of its processors are not affected by Spectre or Meltdown but confirmed that it has been working with Intel, AMD and other partners to develop defenses against the vulnerabilities.
Apple and AMD did not immediately respond to requests for comment.