Intel has acknowledged the massive, chip-level security flaw recently discovered in virtually all modern Intel processors; the vulnerability will require urgent fixes within Windows, Mac OS X, and Linux.
Earlier this week, security researchers took note of a series of changes Linux and Windows developers began rolling out in beta updates to address the critical security flaw. Details of the fixes being developed point to issues concerning unprivileged access of secured data stored in a computer’s memory by regular programs. It is feared that the security flaw within the Intel processors could be exploited to access passwords, login credentials, and other protected information on the computer.
Theoretical attacks that exploit the bug, based on quirks in features Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer or smartphone. And on multi-user machines, like the servers hosted by Google Cloud Services or Amazon Web Services, they could even allow hackers to break out of one user’s process, and instead snoop on other processes running on the same shared server.
Modern operating systems utilize essential security services provided by Intel’s chips. But it’s up to the operating systems themselves to fundamentally overhaul their security mechanisms to perform the functions they previously relied upon Intel’s chips to carry out when a vulnerability is discovered within the chip.
The fixes involve moving the memory used by the kernel — the most privileged core of the computer’s operating system — to be isolated away from memory used by normal programs. That way, normal programs, including anything from scripts running on a website to installed computer programs, cannot be manipulated to exploit the hole and gain access to the protected kernel memory.
But implementing the fix is expected to significantly affect the performance of the computer, slowing down some processes by up to around 30% — which Intel claims to be an exaggeration, stating that all changes in performance were “workload-dependent.”
Though normal computer users could experience some drops in performance, the security flaw also affects cloud servers, with Amazon, Microsoft, and Google all expected to have to patch the hole with similar performance-reducing fixes.
These hardware vulnerabilities have been categorized into two attacks, dubbed “Meltdown” (CVE-2017-5754) and “Spectre” (CVE-2017-5753 and CVE-2017-5715). While Meltdown affects laptops, desktop computers, and internet servers with Intel chips, Spectre potentially has a wider reach. It affects some chips in smartphones, tablets, and computers powered by Intel, ARM, and AMD processors.
On Wednesday evening, a large team of researchers at Google’s Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies including Cyberus and Rambus together released the full details of both attacks, which revealed that almost every modern processor since 1995 is vulnerable to the issues.
“These hardware bugs allow programs to steal data which [is] currently processed on the computer,” reads a description of the attacks on a website the researchers created. “While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.”
Both attacks take advantage of a feature in chips known as “speculative execution,” a technique used by most modern CPUs to optimize performance.
“In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions,” Project Zero says.
Although both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory, while Spectre steals data from the memory of other applications running on a machine.
Microsoft, Apple, and Linux, the three major operating system makers, are all issuing security patches. Users should update their systems as soon as the fixes are available to ensure they remain protected.
Apple has said that all Macs, iPhones, and iPads are affected by Meltdown, but Macs running the latest version of macOS, numbered 10.13.2, are safe.
The same is true for the latest iOS version 11.2, which is used on iPhones and iPads.
Apple said it will release updates to mitigate against Spectre “in the coming days”.
Microsoft released an emergency Meltdown patch for Windows 10 on January 4th via Windows Update. This will subsequently also be applied to Windows 7 and 8 machines.
However, users with third-party anti-virus or security software should also check that this has been updated first, in order for the Windows Update process to install the patch.
Google said Android phones with the most recent security updates are protected, and users of web services like Gmail are also safe. Chromebook users on older versions will need to install an update when it comes. Chrome web browser users are expected to receive a patch on January 23rd.
Cloud services for businesses, including Amazon Web Services and Google Cloud Platform, say they have already patched most services, and will fix the rest soon.
Spectre is thought to be much harder to patch and no fix for it has yet been made widely available.