Google said in a blog post on its security blog that it shared a new fix, called Retpoline with its partners which fixes one of the Spectre vulnerabilities (CVE-2017-5715).
CERT, the cyber security project at Carnegie Mellon University sponsored by the USA government, on Friday withdrew its recommendation for the replacement of the central processing units (CPUs) of affected systems. And Intel has yet to comment publicly on the processor vulnerability. Microsoft also released a patch and security advisory for Windows, but noted that there is an issue with some “incompatible anti-virus applications” that could leave devices unable to boot and has not pushed the patch to systems with known AV issues. The Register noted yesterday that details about the bug are now embargoed pending the release of effective patches. The flaw allows hackers to take info from programs that shouldn’t be visible outside that program.
“The only way to really fix the problem is to replace the microprocessors in billions of devices”, he said.
There are two separate problems. It also requires more coordination.
On Wednesday, Google revealed that there’s a big security hole in pretty much every processor, including the one in your phone, the one in your laptop, and the processors running servers “in the cloud”.
True, vulnerabilities in chip design are rare. He cited recent discussions on the Linux and Unix news site LWN.net.
We work continuously to stay ahead of the constantly evolving threat landscape and will continue to roll out additional protections to address potential risks.
Security issues with Intel Corp microchips are only slowing computers slightly, technology companies said, as researchers played down the need for mass hardware replacements to protect millions of devices from hackers. However, uncomfortable reports are emerging, claiming that Intel CEO Brian Krzanich was told of the flaws in June past year, subsequently selling a large portion of his stake in the company, while the issues were not yet public knowledge.
Given kernel memory is dedicated to the core components and interactions of an operating system with its hardware, it is said that the flaw could be exploited by malicious programmes, namely Meltdown or Spectre, to expose secured information such as passwords, and effectively compromise a targeted machine or indeed server network.
Google and Amazon say they’re not seeing any major slowdowns.
Android software released this week includes mitigations. “We’ve worked to optimize the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied”. So, while there is a potential real risk, in my opinion, it’s not as great as numerous more traditional malware attacks we’ve seen in the recent past. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.
For now, there’s only one thing you can do: Update your devices and browser software when the updates are made available.
If it sounds like computer security is becoming a major issue, that’s because it is.
Research outfit Gartner reckons no single semiconductor vendor has more than a 15 percent share across all processor types, with Samsung past year displacing Intel for the top spot because of booming memory-chip sales.
Microsoft has already pushed out a patch for Windows 10 and other Windows versions will be updated on Tuesday, January 9. The software developers issue a patch further came to light when Linux developers started separating kernel memory from user memory and changed the current state of kernel page-table isolation.
As for consumers: If your computer or phone offers you an operating system upgrade, take it immediately. It has also published a technical paper outlining how the flaws can be mitigated. Based on the analysis to date, many types of computing devices – with many different vendors’ processors and operating systems – are susceptible to these exploits. The small positive here is that Spectre is more hard to exploit. “There may end up being cases that are workload or OS specific that experience more of a performance impact”. The update will appear there when it is available.
So that’s the bad news, but there’s also some good news in this story.