‘Meltdown’: Google team flags Intel bug that may affect billions of devices
On Wednesday, security researchers at Google Project Zero disclosed technical details on two security flaws that allow hackers to engage in unauthorized reads of a computer’s memory data, which may contain sensitive information such as passwords.
The researchers discovered that the vulnerabilities affect many CPUs, including those from Intel, Advanced Micro Devices (AMD) and ARM Holdings, as well as the devices and operating systems running on it.
The first method of attack, known as Spectre, can be exploited by hackers to dissolve the barrier that separates different applications and trick otherwise error-free applications into leaking information stored on their memory.
Last year, researchers demonstrated how hackers could utilize “speculative execution” – a technique used by most modern processors to optimize performance – to gain access to sensitive information.
In order to improve speeds, modern processors execute certain functions speculatively, or before it is known whether they are needed. The technique prevents the delay that would come from executing the functions after they are requested.
Jann Horn, a lead researcher for Project Zero who first reported both vulnerabilities, discovered that attackers can take advantage of this technique in order to read information on the system’s memory that should be inaccessible.
In the original report, researchers said the vulnerability affects “billions of devices” that use microprocessors from Intel, AMD, and ARM
The second flaw, known as Meltdown, allows hackers to “melt” security boundaries between user applications and the operating system normally enforced by hardware. Hackers can exploit the vulnerability to gain access to the memory of other programs and the operating system, which could include passwords and other sensitive data.
In the original report, researchers said the vulnerability affects “virtually every user of a personal computer.” However, researchers at Google’s Project Zero have only been able to show that ‘Meltdown’ affects Intel microprocessors.
Daniel Gruss, one of the researchers who originally discovered Meltdown, told Reuters the flaw is “probably one of the worst CPU bugs ever found.”
Gruss said Meltdown was the more serious attack, because it was easier for hackers to take advantage of. However, he said that Spectre was much harder to patch, and would be a bigger problem in the future.
In an overview of the attacks, researchers said it would be “unusual” for either attack to be blocked by an antivirus, since they are “hard to distinguish from regular benign applications.” Google said, however, that an attacker must first be able to run a malicious code on a computer before they can exploit the vulnerability.
Researchers also warned it would be nearly impossible to detect if hackers had exploited the weakness, since the attack would not leave “any traces in traditional log files.”
In a blog posted Wednesday, Matt Linton, senior security engineer at Google, said there is “no single fix for all three attack variants,” but many vendors made several patches available Wednesday.
Google provided a list of their products that are vulnerable to the attacks, as well as their mitigation status. The company said as soon as they discovered the vulnerabilities, their security teams updated their systems and affected products to protect against the attacks.
Researchers also provided a link to software patches for Linux Windows, and OS X that guard against Meltdown attacks.
Microsoft released a patch Wednesday to protect customers against the vulnerabilities. However, the company said some anti-virus vendors will need to update their software to be compatible with the new patches.
Microsoft Patch is out: https://t.co/t3bIKOu1yR. Note that your AV vendor must set a special registry key! "Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY."— Alex Ionescu (@aionescu) January 3, 2018
The company has also released an emergency update for all devices running Windows 10, and further updates are planned. Microsoft also said they are in the process of deploying mitigations to cloud services. However, the fixes will also rely on firmware updates from Intel, AMD, and ARM.
Microsoft said they have not received “any information to indicate that these vulnerabilities had been used to attack our customers,” according to a statement to The Verge.
Amazon has also reportedly said they have protected most of their cloud servers from the vulnerabilities.
AppleInsider reports that Apple has already deployed a partial fix for the bug in MacOS 10.3.2 that was released last month.
The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 -- and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c@email@example.com/S1YJ9tMS63— Alex Ionescu (@aionescu) January 3, 2018
The report also said that tests show the update does not cause any notable slowdowns.
On Tuesday, The Register first reported on the vulnerabilities, saying the patches to fix the problem would slow computers by 30 percent.
While researchers do not know how much the updates could slow the performance of older processors, Intel released a statement Wednesday that said the updates will not “significantly” slow computers for the average user.
“Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."
Intel rejected claims that either of the vulnerabilities were unique to their products, adding that it affects “many types of computing devices – with many different vendors’ processors and operating systems – are susceptible to these exploits.”
However, AMD said their products were not vulnerable to any of the attacks.
“Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time,” representatives of the company told CNBC.
ARM also released a statement Wednesday that said the “majority” of their products are “not impacted by any variation” of the Spectre attack.