Recently, a set of security flaws were disclosed. According to the report, those flaws can let hackers steal sensitive information from almost every device that contains a chip from Intel, Advanced Micro Devices, and ARM. One of these flaws is specific to Intel but the others affect laptops, desktop computers, smartphones, tablets and the internet services. Intel and ARM have told that the issue is not because of a design flaw, however, the users still need to download and install a patch and update their OS to apply the fix.
“Phones, PCs, everything is going to have some impact, but it’ll vary from product to product.” The two flaws were discovered by researchers with Alphabet’s Google Project Zero. Many academic and industry researchers were also involved in the discovery.
The first bug is called Meltdown. It affects intel chips and allows hackers to bypass the hardware barrier. After overcoming the hardware barrier between the applications and the computer’s memory, the hacker can read the computer’s memory and can copy passwords.
The second bug is called Spectre. It affects chips from Intel, AMD, and ARM. It allows hackers to trick an error-free application to give up secret information.
The researchers said that Apple and Microsoft have already created patches for their user’s desktop computers which were affected by Meltdown. Microsoft did not comment on the matter and Apple also didn’t return the request for comment on the matter. Daniel Gruss, a researcher at the Graz University of Technology, who was involved in discovering Meltdown said that “probably one of the worst CPU bugs ever found”.
Gruss said that the Meltdown was a more serious problem in the short term but it can be stopped with software patches. Spectre, on the other hand, is a broader bug and is applied to nearly all computing devices. It is harder for hackers to take advantage of it. It cannot be patched easily and therefore will be a bigger problem in the future.
Intel’s Krzanich said that Google told them about the flaw sometime ago and since then it has been testing fixes on the devices. Before the problem went viral on the internet, Google wrote on its blog that Intel and others have planned to disclose the issues on Jan 9. Google said that the affected companies were informed about the ‘Spectre’ flaw on June 1, 2017. It also reported about the Meltdown flaw later on before July 28, 2017.
The Register, a tech publication, was the first to report the flaws. It also reported that the update to fix the problems can make the Intel chips 5 to 30 percent slow. However, Intel denied that the fix will slow down the computers. Intel gave a statement saying, “Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
ARM spokesman, Phil Hughes told that the patches have already been shared with the partner companies. This includes many smartphone manufacturers as well. Hughes gave a statement in an email saying, “This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory.”
AMD chips were also affected by one variant of the security flaw. However, it can also be patched with a software update. The company told that there is near zero risks to AMD products at this time. Google gave a blog post and told that the Andriod phones which are running latest security updates are protected. Google’s own Nexus and Pixel are protected with latest security updates. Users who have Chromebooks, Chrome web browser and Google cloud services also need to install the latest updates. Gmail users are however safe and do not need to take any action.
Amazon Web Services said that almost all of their internet services were already patched and the remaining are in the process of being patched. The defect also affects the kernel memory on the Intel x86 processor chips. The Register reported that unnamed programmers were cited who allowed users of normal applications to discern the layout or content of protected areas on the chip. That can also make hackers to exploit other security bugs or expose secure information such as passwords. This will compromise individual computers and even the entire network server.
Dan Guido, the chief of cybersecurity consulting firm Trail of Bits, said that the businesses should move to update vulnerable systems as soon as possible. He said that hackers will quickly develop a code that can be used to launch attacks that exploits the vulnerabilities. Guido said, “Exploits for these bugs will be added to hacker’s standard toolkits.”
Since the report came, the shares in Intel have fallen down by 3.4%. But they went back up 1.2% to $44.70. The shares in AMD were up by 1% to $11.77. It is not clear whether Intel will be facing any serious financial liability or not from the reported flaw. Hans Mosesmann of Rosenblatt Securities in New York said, “The current Intel problem, if true, would likely not require CPU replacement in our opinion. However, the situation is fluid.”
