(by Selena Larson, CNN Money) – Two major flaws in computer chips could leave a huge number of computers and smartphones vulnerable to security concerns, researchers revealed Wednesday.
And a U.S. government-backed body warned that the chips themselves need to be replaced to completely fix the problems.
The flaws could allow an attacker to read sensitive data stored in the memory, like passwords, researchers found. Daniel Gruss, a researcher from Graz University of Technology in Austria, who helped identify the flaw, said it may be difficult to execute an attack, but billions of devices were impacted.
Called Meltdown and Spectre, the flaws exist in processors, a building block of computers that acts as the brain. Modern processors are designed to perform something called “speculative execution.” That means they predict what tasks they will be asked to execute and rapidly access multiple areas of memory at the same time.
That data is supposed to be protected and isolated, but researchers discovered that in some cases, the information can be exposed while the processor queues it up.
Researchers say almost every computing system — desktops, laptops, smartphones, and cloud servers — is affected by the Spectre bug. Meltdown appears to be specific to Intel (INTC) chips.
“More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors,” the researchers said.
Government agencies issued statements warning users about the vulnerabilities.
The U.S. Computer Emergency Readiness Team (CERT) said that while the flaws “could allow an attacker to obtain access to sensitive information,” it’s not so far aware of anyone doing so.
The agency (CERT) urged people to read a detailed statement on the vulnerabilities by the Software Engineering Institute (SEI), a U.S.-government funded body that researches cybersecurity problems.
The institute (SEI) said that “fully removing the vulnerability requires replacing vulnerable [processor] hardware.”
It later changed its guidance on Thursday to suggest updating software was enough. The institute didn’t say why it had made the change and didn’t immediately respond to a request for further information.
It said the problems affect technology giants including Apple, Google and Microsoft.
The U.S. Computer Emergency Readiness Team (CERT) recommended that users read advice posted online by Microsoft and software company Mozilla. …
Google programmer Jann Horn of Project Zero was one of the researchers who discovered the flaws. In a blog post, he said his group alerted chipmakers to the issues in June. Since last fall, security researchers and companies have investigated and updated software systems to address the flaws.
Intel chips are found in everything from personal computers to medical equipment. The company’s shares were down 3% on Wednesday.
The company said in a press release that “many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.”
Intel said it is working with other chipmakers, including AMD and ARM Holdings, to solve the issue. ARM said in a statement a small subset of its processors are susceptible to the flaws. AMD said in a statement there is a “near zero risk of exploitation” for one of the security issues, due to architecture differences.
A fix requires both the chip manufacturers and software makers to update their products before pushing it out.
Estimates posted on Linux message boards suggested computer performance could slow down between 5% and 30% once patched, however Intel said users will not see significant performance changes.
Tech website The Register was first to report the processor flaws on Tuesday.
A spokesperson for Microsoft told CNNMoney the company is aware of the issue and is in the process of deploying mitigations to cloud services and has released security updates to protect Windows users.
Google’s Cloud Platform has been updated to prevent the vulnerabilities, the company said.
Amazon said in a statement most of its cloud computing machines affected by the flaw are already protected, but it was updating the rest on Wednesday.
Apple revealed Thursday that all its Mac and iOS devices were affected by the flaws, but said that “there are no known exploits impacting customers at this time.” The company has already released some fixes for Meltdown, and will release others for Spectre in subsequent updates.
It’s important for all users to update their devices when new updates are released.
Flaws in chips are unusual. Back in 1994, a major error in Intel’s Pentium processor caused computers to incorrectly calculate results.
— Jethro Mullen contributed to this report.
CNNMoney (San Francisco ) First published January 3, 2018: 7:31 PM ET. Reprinted here for educational purposes only. May not be reproduced on other websites without permission from CNN Money.
From a Wall Street Journal article:
Disseminating patches can be relatively easy for some. Apple and Microsoft are able to quickly issue updates for affected iPhones, MacBooks and Windows computers. Google, however, must rely on device makers to pass on its security measures to Android phone users. Google said it had sent updates to manufacturers, but it wasn’t sure how many phones had received or will receive them.
And patches and other software fixes may not be the definitive answer. Patches can protect against Meltdown, but it isn’t clear if they can foil Spectre. CERT, a federally funded cybersecurity research organization at Carnegie Mellon University, initially said on Wednesday that new hardware was the only guarantee against the flaws. But on Friday, the organization updated its assessment, saying updates to operating systems or apps could “mitigate these attacks.”
Still, experts say full protection might require design changes, which could take a year to roll out. Luckily, they say, Spectre is difficult to exploit as it requires tailoring to the target systems, and that might take hackers a while.
“My hope is that by the time attackers learn to exploit this thing, the defense improves to the point that it’s no longer a serious threat,” said Werner Haas, chief technology officer of Germany-based Cyberus Technology and another of the researchers who helped uncover the vulnerabilities.