Microchip flaws put nearly every device at risk to hackers
Two microprocessor bugs that allow hackers to steal data from the memory of running apps have put nearly all computing devices at risk
Tech companies around the world are reeling and rushing to provide fixes for two microprocessor flaws that have put nearly all the computing devices in the world at risk from hackers.
The flaws — dubbed Meltdown and Spectre— are in chips made by Intel and other major suppliers. They can allow hackers to steal data from the memory of running apps, including password managers, browsers and emails. The flaws were first disclosed by British technology news site the Register on Tuesday and made public Wednesday by the researchers who discovered them.
Because the flaws date back more than two decades and Intel chips are ubiquitous among computers, cloud servers and mobile devices, they affect nearly all computing devices in operation and servers that store memories in the cloud.
Users have little choice but to wait for new software patches from makers of their devices, the researchers said. Technology companies quickly began issuing fixes for the flaws this week, or notifying consumers about their timelines for doing so.
But even the software fixes will not be able to totally fix the hardware bugs rooted in modern computing for the last 20- odd years, said cybersecurity company CEOs and professors.
“Here is the simple truth: Every CPU created since 1995 is a victim of these bugs,” said Ahmed Banafa, a cybersecurity professor at San Jose State University.
Meltdown is exclusively on Intel chips and allows hackers to bypass the hardware barrier be--
tween running applications and the computer’s memory, thereby allowing hackers access to the latter, the researchers said.
Spectre affects chips made by Intel, AMD and ARM. It could enable hackers to trick applications into handing over secret information, according to the researchers.
Both bugs seek to break down the longstanding barrier between the dayto-day user interactions on the computer and the sensitive data the computer collects about the user. Hackers could use Meltdown or Spectre through a simple phishing email, or any trap to install their code, and could eventually seize the user’s sensitive data.
“There are lots of different ways for hackers to trick someone to let them execute the code,” said Ryan Kalember, senior vice president of cybersecurity strategy at the Sunnyvale-based cybersecurity company Proofpoint. Kalember also noted that being attacked using Meltdown or Spectre is “highly unlikely.”
Meltdown is themore serious short-term issue and easier to fix than Spectre, Daniel Gruss, an Austriabased researcher who discovered Meltdown, told Reuters. Gruss was part of a research team led by Google Project Zero, which seeks to expose vulnerabilities and fix them before hackers exploit them. Although Google Project Zero spearheaded the effort, most of the researchers involved are independent of Google.
The effects of the flaws have rippled through every major computer and cloud server company, including Apple, Microsoft, Google and Amazon.
While the hacking potential through Meltdown and Spectre is enormous, there have been no recorded malicious exploits, according to researchers. However, now that Meltdown and Spectre are public knowledge, the chances may increase.
Affected companies on Wednesday rushed out statements and fixes for the flaws, offering hope that the issue may be mitigated.
Microsoft rushed out an automatic Windows update on Wednesday. But some Windows users may not be able to get the update due to third-party antivirus applications, according to Microsoft.
“If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor,” said Microsoft in a blog post.
Google, whose Android phones and Chrome browser are vulnerable, announced it will have updated software versions with security patches this month. New Android software will roll out Jan. 5, and Google Chrome will update Jan. 23, according to Google. The company also alerted users to update their operating systems.
Mozilla, which operates the Firefox browser, announced it will also include updates in its latest version.
Amazon, which runs the popular cloud service Amazon Web Services, announced on Wednesday a single percentage of servers were previously protected and that the rest would be patched later in the day. Like Google, Amazon also asked customers to patch the operating systems they use.
Apple said Thursday in a statement that it had already released mitigations for operating systems including the iOS, macOS and tv OS to stop Meltdown. It also plans to release a new update for the Safari browser to mitigate Spectre hacks.
“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” said Apple.
Intel, ARM and AMD bore the brunt of the criticism after the news broke.
AMD told multiple media outlets that “due to difference in AMD’s architecture” from the other two, the company believed there was “near zero risk to AMD processors at this time.”
In its initial statement Wednesday, Intel said this wasn’t solely an Intel issue.
“Recent reports that these exploits are caused by a ‘ bug’ or a ‘ flaw’ and are unique to Intel products are incorrect,” said Intel. “Based on the analysis to date, many types of computing devices— with many different vendors’ processors and operating systems — are susceptible to these exploits.”
On Thursday, Intel said it has already issued updates for the majority of processor products introduced within the past five years. Intel expects to issue updates for 90 percent of processor products introduced within the same time period by the end of the week.
However, pushback against Intel has been swift. Intel’s shares plunged 3.5 percent on Wednesday and 1.8 percent on Thursday. The decline followed news reports that Intel CEO Brian Krzanich sold a huge chunk of his stock in the company during November — after the company was aware of both Meltdown and Spectre.
AMD stock, meanwhile, rose 4.9 percent Thursday.
ARM does not have publicly traded shares as it was acquired by the Japanese conglomerate Softbank in 2016.
The researchers said they alerted Intel, AMD and ARM last June about both Meltdown and Spectre.
While most of the issued patches will likely fix Meltdown, researchers expressed concerns about how to fix Spectre. Because Spectre’s root issue is derived from how microprocessors have been designed since the 1990s to improve speed at the cost of security, the only way to solve the Spectre problem for now is to replace the entire CPU hardware or install a fix that will significantly slow down CPUs, they said.