This week computer security experts have discovered two major security flaws in the microprocessors inside nearly all computers worldwide.
The two problems were identified as Meltdown and Spectre. Both problems allow hackers to steal the memory contents of computers, including mobile devices, personal computers and servers running in cloud computer networks.
Unfortunately, the fix for Spectre would require a redesign of all the processors. Fixing Meltdown would require a software patch that could slow down computers by 30%. This would put a toll on anyone trying to use fast downloads, which happens to be anyone and everyone.
“What actually happens with these flaws is different and what you do about them is different,” said Paul Kocher, a researcher who was an integral member of a team of researchers at big tech companies like Google and Rambus and in academia that discovered the flaws.
For services like Amazon, Google, and Microsoft, Meltdown is a large problem because they are cloud computing. Google and Microsoft moved quickly updating their systems by Wednesday night in response to the flaw.
Amazon informed its customers of Amazon Web Services (cloud service) that the vulnerability “has existed for more than 20 years in modern processor architectures.” They said it had already been protected nearly all instances of A.W.S. and that customers must update their own software running atop the service.
Hackers could take advantage of Meltdown by renting a space on a could service, like any other business customer. Once on the service, the flaw would allow them to grab information like passwords from other customers.
This is a major threat to the way cloud-computing systems operate. Cloud services share machines among many customers and it is very uncommon for a single server to be dedicated to one customer. Security tools and protocols are intended to separate customers’ data, however, the chip flaws would allow for hackers to bypass these protections.
Personal PCs used by consumers are vulnerable, but hackers would have to find a way to run software on a personal computer before they could gain access to information elsewhere on the machine. Attackers can fool consumers into downloading software via an email, either from visiting an infected website or from the app store.
The Meltdown flaw affects virtually every microprocessor made by Intel, according to researchers. This totals for 90% of chips used in computer servers that underpin the internet and private operations.
Customers of Microsoft, will need to install an update from the company to fix the problem. The worldwide community of coders that oversees the open-source Linux operating system, which runs about 30% of computer servers worldwide, has released a patch for that operating system. Apple released a partial fix for the problem and it expected to have an additional update.
The software patches distributed could slow the performance of affected machines by 20 to 30%, said Andres Freund, an independent software developer who tested the new Linux code. Researchers that discovered the flaws voiced similar concerns. This creates a concern for any business.
There has yet to be any evidence of hackers attempting to take advantage of the vulnerability. However, once a security problem becomes public, computer users take a big risk by not installing a patch to fix the issue. A ransomware attack that hit computers worldwide last year took advantage of machines that hadn’t received a patch for a flaw in Windows software.
Posing another risk, Spectre, affects most processors now in use, though researchers believe this flaw is more difficult to exploit. At this time there is no known fix for it, and it is unclear what chip makers like Intel will do to address the problem.
It’s uncertain what the disclosure of the chips issues will do to Intel’s business. On Wednesday, the Silicon Valley giant addressed the problem.
“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” the company stated in a statement. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”
Once researchers discovered the flaws they notified various companies that were affected. When news like this is discovered, it is best to keep it from the public so hackers can’t take advantage of the flaws before they are fixed.
On Tuesday, news of the Meltdown flaw began to leak via various websites. Following the leak, researchers released papers describing the flaws on Wednesday. This was earlier than they had planned, wanting to keep the flaws quiet for as long as possible.
Temporarily, computer security experts are using a patch called Kaiser. Kaiser was originally discovered by researchers at the Graz University of Technology in Austria in response to a different issue last year.
Unfortunately, Spectre will be much more difficult to deal with than just using a software patch.
The two flaws are different and don’t have the same solution. The Meltdown flaw is specific to Intel, but Spectre is a flaw design that has been used by many processor manufacturers for decades. It affects virtually all microprocessors on the market, including chips made by AMD that share Intel’s design and the many chips based on designs from ARM in Britain.
Spectre is a problem in the fundamental way processors are designed, and the threat from Spectre is “going to live with us for decades,” stated Mr. Kocher. Focusing on having an emphasis on speed while designing new chips has left them vulnerable to security issues, he said.
“We’ve really screwed up,” Mr. Kocher said. “There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”
A fix may not be available for Spectre until a new generation of chips hit the market. “This will be a festering problem over hardware life cycles. It’s not going to change tomorrow or the day after,” Mr. Kocher said. “It’s going to take a while.”
For more information about these flaws and how they can affect your computer or business, give us a call! We proudly serve those in Charles County, Waldorf, La Plata, White Plains, Calvert County, Prince Frederick, Solomon’s, Washington D.C., and Richmond Virginia.