Design flaws in processors from leading chipmakers could let attackers access sensitive information. How did this happen, and what's the fix?
While the whole industry is scrambling on Spectre, Meltdown focused most of the spotlight on Intel and there is no shortage of outrage in Internet comments. Like many great discoveries, this one is obvious with the power of hindsight. So much so that the spectrum of reactions have spanned an extreme range. From “It’s so obvious, Intel engineers must be idiots” to “It’s so obvious, Intel engineers must have known! They kept it from us in a conspiracy with the NSA!”
For those of you who don't know, this notorious exploit allows access to your operating system’s sacrosanct kernel memory because of how the processors handle “speculative execution,” which modern chips perform to increase performance. An attacker can exploit these CPU vulnerabilities to expose extremely sensitive data in the protected kernel memory, including passwords, cryptographic keys, personal photos, emails, or any other data on your PC.
Google says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the OS you’re running or whether you have a desktop or laptop.
Here's why that happens: To make computer processes run faster, a chip will essentially guess what information the computer needs to perform its next function. That's called speculative execution. As the chip guesses, that sensitive information is momentarily easier to access.
What are tech behemoths doing ?
Intel CEO Brian Krzanich says the problems are well on their way to being fixed, at least in the case of Intel-powered PCs and servers. Intel said that 90 percent of chips released in the last five years will have fixes available by about Jan. 13 and that for chips up to 10 years old, fixes will be released in the coming weeks.
On Jan. 22, Intel halted some updates to its chips after reports that the patches were causing devices to unexpectedly reboot.
Microsoft right away released patches for the Windows operating system and its Internet Explorer and Edge browsers, but warned that your antivirus software needs to be updated to support those patches.
Apple said Jan. 4 that it has released mitigations for the Meltdown flaw for the operating systems on its Mac computers, Apple TVs, iPhones and iPads, and that neither Meltdown nor Spectre affects the Apple Watch. Apple also said Jan. 4 that it will release patches "in the coming days" for the Safari browser to help defend against Spectre exploits and that it will continue to release patches in future updates of its iOS, MacOS and TVOS software.
On Jan. 7, Apple released an update to its iOS software that patches Spectre on iPhones and iPads. On Jan. 23, Apple released an update to the Sierra and El Capitan versions of its Mac operating systems.
What can we do to protect ourselves?
Researchers, chipmakers and computer companies all say there are no known examples of hackers using these weaknesses to attack a computer. However, now that the details of the design flaws and how to exploit them are publicly available, the chances of hackers using them are much higher.
As chipmakers and computer companies roll out software updates, be sure to install them. That means you should keep all your other software updated, including your web browsers and Flash (if you're still using it). Also, run security software to make sure you don't have any malicious software on your computer right now.
Source: CNET, PCWorld and Hackaday
While the whole industry is scrambling on Spectre, Meltdown focused most of the spotlight on Intel and there is no shortage of outrage in Internet comments. Like many great discoveries, this one is obvious with the power of hindsight. So much so that the spectrum of reactions have spanned an extreme range. From “It’s so obvious, Intel engineers must be idiots” to “It’s so obvious, Intel engineers must have known! They kept it from us in a conspiracy with the NSA!”
 |
| Source : Graz University of Technology/Natascha Eibl |
For those of you who don't know, this notorious exploit allows access to your operating system’s sacrosanct kernel memory because of how the processors handle “speculative execution,” which modern chips perform to increase performance. An attacker can exploit these CPU vulnerabilities to expose extremely sensitive data in the protected kernel memory, including passwords, cryptographic keys, personal photos, emails, or any other data on your PC.
Google says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the OS you’re running or whether you have a desktop or laptop.
Here's why that happens: To make computer processes run faster, a chip will essentially guess what information the computer needs to perform its next function. That's called speculative execution. As the chip guesses, that sensitive information is momentarily easier to access.
What are tech behemoths doing ?
Intel CEO Brian Krzanich says the problems are well on their way to being fixed, at least in the case of Intel-powered PCs and servers. Intel said that 90 percent of chips released in the last five years will have fixes available by about Jan. 13 and that for chips up to 10 years old, fixes will be released in the coming weeks.
On Jan. 22, Intel halted some updates to its chips after reports that the patches were causing devices to unexpectedly reboot.
Microsoft right away released patches for the Windows operating system and its Internet Explorer and Edge browsers, but warned that your antivirus software needs to be updated to support those patches.
Apple said Jan. 4 that it has released mitigations for the Meltdown flaw for the operating systems on its Mac computers, Apple TVs, iPhones and iPads, and that neither Meltdown nor Spectre affects the Apple Watch. Apple also said Jan. 4 that it will release patches "in the coming days" for the Safari browser to help defend against Spectre exploits and that it will continue to release patches in future updates of its iOS, MacOS and TVOS software.
On Jan. 7, Apple released an update to its iOS software that patches Spectre on iPhones and iPads. On Jan. 23, Apple released an update to the Sierra and El Capitan versions of its Mac operating systems.
What can we do to protect ourselves?
Researchers, chipmakers and computer companies all say there are no known examples of hackers using these weaknesses to attack a computer. However, now that the details of the design flaws and how to exploit them are publicly available, the chances of hackers using them are much higher.
As chipmakers and computer companies roll out software updates, be sure to install them. That means you should keep all your other software updated, including your web browsers and Flash (if you're still using it). Also, run security software to make sure you don't have any malicious software on your computer right now.
Source: CNET, PCWorld and Hackaday
Comments
Post a Comment