Title : Meltdown and Spectre flaws leave billions at risk of hacks
link : Meltdown and Spectre flaws leave billions at risk of hacks
Meltdown and Spectre flaws leave billions at risk of hacks
- Security researchers at Google's Project Zero discovered the two massive flaws
- Meltdown lets hackers bypass hardware barriers on Intel chips to steal data
- Spectre is far more widespread and affects chips from Intel, AMD and ARM
- This lets cyber criminals trick applications into giving up secret information
- Patches are forthcoming from a range of firms to plug the huge security holes
- Consumers should check with their device maker and operating system provider
Two massive security flaws could put billions of people worldwide at risk of being hacked, in a shocking lapse affecting nearly all devices.
Meltdown and Spectre could let cyber criminals steal passwords and other data from nearly every gadget containing chips from Intel, AMD and Arm, thanks to 'design flaws' in their manufacture.
The bugs affect desktops, laptops, servers, smartphones and tablets, as well as smart devices like baby monitors, smart cars and thermostats, powered by processors from these firms.
Patches have been created by a number of device manufacturers to try and plug the huge security holes, but fixing the underlying issue will be extremely difficult.
Scroll down for video
Details have emerged about two massive security flaws which put billions of people worldwide at risk of being hacked. Meltdown and Spectre could let cyber criminals steal data from nearly every computing device containing chips from Intel, AMD and Arm
Security researchers at Google's Project Zero computer security analysis team, in conjunction with academic and industry researchers from several countries, exposed the two flaws.
Meltdown, which is specific to Intel chips, lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory.
It was first discovered by Project Zero in June last year, when expert Jann Horn found that passwords, encryption keys, and sensitive information open in applications that should have been protected could be accessed.
A second bug, called Spectre, affects chips from Intel, AMD and Arm.
This lets hackers potentially trick otherwise error-free applications into giving up secret information.
Project Zero disclosed the Meltdown vulnerability not long after Intel said it's working to patch it.
Intel says the average computer user won't experience significant slowdowns as it's fixed.
Tech companies typically withhold details about security problems until fixes are available, so that hackers don't have a roadmap to exploit the flaws.
Both Intel and Google said they were planning to disclose the issue next week, when fixes will be available.
But Intel was forced to come clean about the problem yesterday after news of the flaw became public.
Meltdown, which is specific to Intel chips, lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory
In an interview with CNBC yesterday, Intel CEO Brian Krzanich said: 'We've found no instances of anybody actually executing this exploit.
'Phones, PCs, everything are going to have some impact, but it´ll vary from product to product.'
However, clips on social media claim to show computer security experts using the exploit.
Michael Schwarz, who has a PhD in information security, posted on Twitter 'Using #Meltdown to steal passwords in real time', along with a GIF animation of the procedure.
Researchers say Apple and Microsoft have patches ready for users for desktop computers affected by Meltdown.
Microsoft declined to comment and Apple did not immediately return requests for comment.
Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it 'probably one of the worst CPU bugs ever found' in an interview with Reuters.
Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches.
Spectre, the broader bug that applies to nearly all computing devices, is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, he said.
Intel's CEO said Google researchers told Intel of the flaws 'a while ago' and that Intel had been testing fixes that device makers who use its chips will push out next week.
Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on January 9.
Intel was forced to come clean about the Meltdown problem yesterday after news of the flaw, which affects laptops like this HP, became public
The bugs affect desktops, laptops, servers, smartphones and tablets, as well as smart devices like powered by processors from a range of manufacturers.
Apple's iPhone is likely to be among the devices affected, as it's processors are based on a 64-bit Arm chip. There has been no public comment from the company. One researcher has suggested MacOS 10.13.2 has a fix for the flaw affecting its desktop and laptop machines
Google said it informed the affected companies about the 'Spectre' flaw on June 1, 2017 and reported the 'Meltdown' flaw after the first flaw but before July 28, 2017.
The flaws were first reported by tech publication The Register.
It also reported that the updates to fix the problems could causes Intel chips to operate five to 30 per cent more slowly, with some experts claiming this could be more like 50 per cent.
Security researchers at Google's Project Zero computer security analysis team, in conjunction with academic and industry researchers from several countries, discovered the two flaws. Google's own Home smart speakers use Arm processors
Intel denied that the patches would bog down computers based on Intel chips.
'Intel has begun providing software and firmware updates to mitigate these exploits,' the Santa Clara, California, Company said in a statement.
'Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.'
ARM spokesman Phil Hughes said that patches had already been shared with the companies' partners, which include many smartphone manufacturers.
'This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory,' Mr Hughes said in an email.
AMD chips are also affected by at least one variant of a set of security flaws but that it can be patched with a software update.
A second bug, called Spectre, affects chips from Intel, AMD and Arm. This lets hackers potentially trick otherwise error-free applications into giving up secret information. This image shows a Motorola video baby monitor which uses Arm chips
Patches have already been created by a number of device manufacturers and operating system creators to plug the huge security holes. This image shows Mio's DigiWalker GPS system, which also uses an Arm processor
The company said it believes there 'is near zero risk to AMD products at this time.'
Google said in a blog post that Android phones running the latest security updates are protected, as are its own Nexus and Pixel phones with the latest security updates.
Gmail users do not need to take any additional action to protect themselves, but users of its Chromebooks, Chrome web browser and many of its Google Cloud services will need to install updates.
Amazon Web Services, a cloud computing service used by businesses, said that most of its internet servers were already patched and the rest were in the process of being patched.
The defect affects the so-called kernel memory on Intel x86 processor chips manufactured over the past decade, The Register reported citing unnamed programmers, allowing users of normal applications to discern the layout or content of protected areas on the chips.
That could make it possible for hackers to exploit other security bugs or, worse, expose secure information such as passwords, thus compromising individual computers or even entire server networks.
Dan Guido, chief executive of cyber security consulting firm Trail of Bits, said that businesses should quickly move to update vulnerable systems, saying he expects hackers to quickly develop code they can use to launch attacks that exploit the vulnerabilities.
'Exploits for these bugs will be added to hacker´s standard toolkits,' Mr Guido said.
Shares in Intel were down by 3.4 per cent following the report but nudged back up 1.2 percent to $44.70 (£33) in after-hours trading.
Shares in AMD were up one per cent to $11.77 (£8.70), shedding many of the gains they had made earlier in the day when reports suggested its chips were not affected.
It was not immediately clear whether Intel would face any significant financial liability arising from the reported flaw.
'The current Intel problem, if true, would likely not require CPU replacement in our opinion. However the situation is fluid,' Hans Mosesmann of Rosenblatt Securities in New York said in a note, adding it could hurt the company's reputation.
Thus Article Meltdown and Spectre flaws leave billions at risk of hacks
You are now reading the article Meltdown and Spectre flaws leave billions at risk of hacks with the link address https://coneknews.blogspot.com/2018/01/meltdown-and-spectre-flaws-leave.html
0 Response to "Meltdown and Spectre flaws leave billions at risk of hacks"
Post a Comment