Tech firms rush out patches for 'pervasive' computer flaw

January 5, 2018
Credit: Public Domain

Amid a frantic rush to patch a computer security flaw, experts struggled Thursday to determine the impact of a newly discovered vulnerability which could affect billions of devices worldwide.

Cybersecurity researchers called for systems to urgently install updates a day after the release of details of the so-called Spectre and Meltdown vulnerabilities affecting the chips powering most modern PCs and many .

Researchers on Wednesday published details of the flaw, which unlike many other vulnerabilities stems from the chip itself and how it safeguards private data stored on computers and networks.

The researchers at Google showed how a hacker could exploit the flaw to get passwords, encryption codes and more, even though there have been no reports of any attacks using the .

"The full extent of this class of attack is still under investigation and we are working with and other browser vendors to fully understand the threat and fixes," said Mozilla researcher Luke Wagner in a blog post.

The revelations "attack the foundational modern computer building block capability that enforces protection of the (operating system)," said Steve Grobman, at security firm McAfee.

"Businesses and consumers should update operating systems and apply patches as soon as they become available."

Intel updates

Computer chipmaking giant Intel—the focus of the first reports on the flaw—said the company and its partners "have made significant progress in deploying updates" to mitigate any threats.

"Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years," an Intel statement said.

"In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services."

But John Bambenek, a Fidelis security researcher who works with the SANS Internet Storm Center, warned that it may be too soon to know the extent of the problem.

"This bug is probably worth its name and logo considering the pervasive nature of the vulnerability," Bambenek said in a blog post.

"Contrary to some initial reporting, this is NOT just an Intel bug, it affects AMD and ARM processors as well. These could even be used in cloud... environments to leak memory outside the running virtual machine."

In a web page dedicated to the vulnerability, security researchers said Meltdown and Spectre may "get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents."

The two flaws "work on personal computers, mobile devices, and in the cloud," the researchers said.

"All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time," Apple said in a post at an online support page

It advised only getting apps from its online App Store which vets programs for safety, and said it has already released some "mitigations" to protect against the exploit and planned to release a defensive update for Safari on macOS and iOS in the coming days.

Some experts pointed out that the only real "fix" in some cases would be replacing the chip itself, which would be a massive issue for the computing industry.

"The good news is patches are out for almost everything," Bambenek said.

"The bad news is, Spectre, in particular can't be completely mitigated by patching as it seems it will require a hardware fix. The good news is that Spectre is harder to exploit."

The US government's Computer Emergency Response Team initially indicated in a bulletin that only a hardware fix would solve the problem, but then removed that from an update.

"Fully removing the vulnerability requires replacing vulnerable CPU (central processing unit) hardware," said the first bulletin.

Explore further: Explainer: Who's affected by computer chip security flaw

Related Stories

Recommended for you

A novel approach of improving battery performance

September 18, 2018

New technological developments by UNIST researchers promise to significantly boost the performance of lithium metal batteries in promising research for the next-generation of rechargeable batteries. The study also validates ...

Germany rolls out world's first hydrogen train

September 17, 2018

Germany on Monday rolled out the world's first hydrogen-powered train, signalling the start of a push to challenge the might of polluting diesel trains with costlier but more eco-friendly technology.

8 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

Porgie
1 / 5 (7) Jan 05, 2018
HAHAHAH The left wing news is desperate to make this more than it is. I got my patch last night in an update. Problem solved. The liberal media wants to bash the chip makers because the government puts pressure on them to leave these flaws in place so they can catch the dirt bags. The left doesn't want to be caught. I want terrorist caught drug dealers caught, tax evaders caught, those with open warrants caught. The liberal don't its votes gone.
Da Schneib
5 / 5 (5) Jan 05, 2018
They've violated access permissions to kernel memory in order to improve performance. That was a bad mistake. To truly secure against this class of attack they will have to figure out how to re-institute these permissions and it will require fixes in microcode, not operating systems.
DonGateley
5 / 5 (2) Jan 05, 2018
@Da Schneib - How does speculative execution violate access permissions?
TrollBane
not rated yet Jan 06, 2018
Porgie!
Zis is KAOS! Ve don't "ha ha ha" here.
tblakely1357
not rated yet Jan 06, 2018
Hmm, perhaps a marketing boon for the next generation of CPUs?
DonGateley
5 / 5 (1) Jan 06, 2018
@Da Schneib - How does speculative execution violate access permissions?


In a useful way I mean.

Long ago as a contractor writing diagnostic snippets I discovered speculative execution behavior in the first Power PC chip, which was developed at IBM Austin circa roughly 1987, while it still existed only in a simulator. As a former mainframe CPU architect with IBM I was absolutely amazed. At first I thought it was a design bug but the (brilliant) engineers set me straight with a grin and it immediately became my job to write the diagnostics that would verify its intended workings. I may be wrong but I don't believe the technique had been attempted prior. Given all that back story I am intensely curious how this bug actually works and how it can be exploited. I have not found any detailed description that would clue me. I just want to understand it, not use it. Honest.
BobSage
not rated yet Jan 07, 2018
" there are no known exploits impacting customers at this time"

This is funny, because apparently there is absolutely no way of knowing whether a computer has been accessed through this back door. There is no trace.

Strange the chips from 2 different manufacturers have the same bug. Could it be that it was built in on purpose?

I'm going to guess that this has been used since its inception for spying.
rrwillsj
1 / 5 (1) Jan 08, 2018
A perfect example of how the smartest of people can be counted upon to commit the stupidest of mistakes.

"Fool me once, shame on you!"
"Fool me twice, shame on me!"
"Fool me thrice and the result is a senile buffoon as the bogus POTUS!"

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.