Serious security flaws which could allow hackers to access sensitive information on computer systems are being investigated.
Researchers at Google and several universities published the results of the findings, discovered last June, that surface two previously unknown vulnerabilities that could affect almost every modern microprocessor.
“Tech companies typically withhold details about security problems until fixes are available so that hackers wouldn’t have a roadmap to exploit the flaws”.
It’s not clear whether iPhones and iPads are affected by the problem: Apple has not issued a statement to clarify.
It’s possible for data to be stolen as the vulnerabilities allow for software to read the memory of other running programs. They said the flaws were discovered previous year. The New York Times reports that Spectre fixes will be a lot more complicated as they require a redesign of the processor and hardware changes, so we could be living with the threat of a Spectre attack for years to come.
ARM says some of it’s high-end Cortex A processors are vulnerable, but that it’s Cortex-M products-heavily used in low-power IoT systems-are not.
The researchers that uncovered Spectre write, “As it is not easy to fix, it will haunt us for quite some time”. It is also harder to completely defend against or patch Spectre, given that the attack vector involves architectural design choices in all modern processors that would be hard to “undo” now or in the future.
Both Meltdown and Spectre exploit a feature of computer processors called “speculative execution”. “They will improve on it”.
A back-and-forth emerged between chip designers at AMD and Intel over whether security flaws affected all computer chips or just those with a specific design flaw. Microsoft issued a security update yesterday and, generally, Windows 10 will automatically download necessary security updates and install them for you.
Intel and AMD both said that Google told the companies about the threats last summer. That means operating systems like Microsoft Windows, Linux and Apple macOS, which relied upon Intel’s hardware to provide some of these essential security services, will have to push out their own low-level updates to do the job that they were previously relying upon Intel to do.
However, that is a claim that Intel disputes: “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time”, the company says.
The CPU flaws have been branded as Meltdown and Spectre and have widespread impact across different silicon, operating system, browser and cloud vendors.
The security flaws affect millions of computers, including devices from Microsoft and Apple, and will require a software update to prevent data theft.
TechJuice for Browser: Get breaking news notifications on your browser. However, due to the full details of the vulnerability now being under embargo, meaning the full details of the bug are yet to be officially announced, it’s not yet clear just how serious it is.
Researchers at Alphabet’s Google Project Zero, working with academics, discovered the security problems, including one that affects computer chips by leading maker Intel.
Google said in a blog post Wednesday that its popular web browser Chrome, its cloud services and other applications have been or will soon be updated to protect against the newly disclosed vulnerabilities.
Android users with the latest update are protected, Linton and Parseghian said, and G Suite and Google Home users did not need to take action. Microsoft has started pushing out emergency updates through its Windows Update system. Spectre is still largely an unknown, and security researchers are advising that it’s more hard to exploit than Meltdown. The stock had fallen after Intel issued its statement earlier.
Security giant McAfee released a statement today saying the disclosure of the CPU flaw reveals that the scope of implications extends beyond just PCs to servers, cloud, mobile and IoT platforms, and affects the CPU platform of multiple vendors, not just one as was first thought.
“It’s a positive thing that we have independent verification – researchers looking for vulnerabilities”, Daly said.