I won't worry too much on this. We would have been victimised on a massive scale had the hackers known about this hardware bug. But luckily this didn't happen - at least not reported. Hopefully, some software patches would come out pretty soon to overcome this nuisance.
‘Meltdown’: Google team flags Intel bug that may affect billions of devices
RT : 4 Jan, 2018
Information stored on every desktop computer, smartphone and
cloud server since 1995 could be accessed by hackers if two hardware
bugs are exploited, a new report has warned.
On Wednesday, security researchers at Google Project Zero disclosed
technical details on two security flaws that allow hackers to engage in
unauthorized reads of a computer’s memory data, which may contain
sensitive information such as passwords.
The researchers
discovered that the vulnerabilities affect many CPUs, including those
from Intel, Advanced Micro Devices (AMD) and ARM Holdings, as well as
the devices and operating systems running on it.
The first method of attack, known as Spectre, can be exploited by
hackers to dissolve the barrier that separates different applications
and trick otherwise error-free applications into leaking information
stored on their memory.
Last year, researchers demonstrated how hackers could utilize “speculative execution” – a technique used by most modern processors to optimize performance – to gain access to sensitive information.
In
order to improve speeds, modern processors execute certain functions
speculatively, or before it is known whether they are needed. The
technique prevents the delay that would come from executing the
functions after they are requested.
Jann Horn, a lead researcher
for Project Zero who first reported both vulnerabilities, discovered
that attackers can take advantage of this technique in order to read
information on the system’s memory that should be inaccessible.
In the original report, researchers said the vulnerability affects “billions of devices” that use microprocessors from Intel, AMD, and ARM
The second flaw, known as Meltdown, allows hackers to “melt”
security boundaries between user applications and the operating system
normally enforced by hardware. Hackers can exploit the vulnerability to
gain access to the memory of other programs and the operating system,
which could include passwords and other sensitive data.
In the original report, researchers said the vulnerability affects “virtually every user of a personal computer.” However, researchers at Google’s Project Zero have only been able to show that ‘Meltdown’ affects Intel microprocessors.
Daniel Gruss, one of the researchers who originally discovered Meltdown, told Reuters the flaw is “probably one of the worst CPU bugs ever found.”
Gruss
said Meltdown was the more serious attack, because it was easier for
hackers to take advantage of. However, he said that Spectre was much
harder to patch, and would be a bigger problem in the future.
In an overview of the attacks, researchers said it would be “unusual” for either attack to be blocked by an antivirus, since they are “hard to distinguish from regular benign applications.”
Google said, however, that an attacker must first be able to run a
malicious code on a computer before they can exploit the vulnerability.
Researchers
also warned it would be nearly impossible to detect if hackers had
exploited the weakness, since the attack would not leave “any traces in traditional log files.”
In a blog posted Wednesday, Matt Linton, senior security engineer at Google, said there is “no single fix for all three attack variants,” but many vendors made several patches available Wednesday.
Google provided a list
of their products that are vulnerable to the attacks, as well as their
mitigation status. The company said as soon as they discovered the
vulnerabilities, their security teams updated their systems and affected
products to protect against the attacks.
Researchers also provided a link to software patches for Linux Windows, and OS X that guard against Meltdown attacks.
Microsoft released a patch
Wednesday to protect customers against the vulnerabilities. However,
the company said some anti-virus vendors will need to update their
software to be compatible with the new patches.
The company has also released an emergency update
for all devices running Windows 10, and further updates are planned.
Microsoft also said they are in the process of deploying mitigations to
cloud services. However, the fixes will also rely on firmware updates
from Intel, AMD, and ARM.
Microsoft said they have not received “any information to indicate that these vulnerabilities had been used to attack our customers,” according to a statement to The Verge.
Amazon has also reportedly said they have protected most of their cloud servers from the vulnerabilities.
Apple Insider reports that Apple has already deployed a partial fix for the bug in MacOS 10.3.2 that was released last month.
The report also said that tests show the update does not cause any notable slowdowns.
On Tuesday, The Register first reported on the vulnerabilities, saying the patches to fix the problem would slow computers by 30 percent.
While researchers do not know how much the updates could slow the performance of older processors, Intel released a statement Wednesday that said the updates will not “significantly” slow computers for the average user.
“Any
performance impacts are workload-dependent, and, for the average
computer user, should not be significant and will be mitigated over
time."
Intel rejected claims that either of the vulnerabilities were unique to their products, adding that it affects “many
types of computing devices – with many different vendors’ processors
and operating systems – are susceptible to these exploits.”
However, AMD said their products were not vulnerable to any of the attacks.
“Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time,” representatives of the company told CNBC.
ARM also released a statement Wednesday that said the “majority” of their products are “not impacted by any variation” of the Spectre attack.
Selected Comments:
# Backdoors installed by the chip makers to allow spying, not flaws. It ain't no bug. It's by design.
# considering all 3 big cpu producers have the same "bug", no surprise there...
# Microsoft and Intel have been scamming their customers - these patches are designed to slow your machine down. Y'all won't be using your current hardware for long and the 'buy-use-sell' consumer cycle will continue (until we run out out landfill space).
# major scam but people have blinkers and won't see it and of course they announce the slowdown in advance to prevent any class-action lawsuits (as what happened to Apple).
# The call that planned obsolescence.
# ISIS inside.
Selected Comments:
# Backdoors installed by the chip makers to allow spying, not flaws. It ain't no bug. It's by design.
# considering all 3 big cpu producers have the same "bug", no surprise there...
# Microsoft and Intel have been scamming their customers - these patches are designed to slow your machine down. Y'all won't be using your current hardware for long and the 'buy-use-sell' consumer cycle will continue (until we run out out landfill space).
# major scam but people have blinkers and won't see it and of course they announce the slowdown in advance to prevent any class-action lawsuits (as what happened to Apple).
# The call that planned obsolescence.
# ISIS inside.
No comments:
Post a Comment