Inside the Intel Chip Security Problem

Uploaded on 2018-01-16 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Technology companies are  still scrambling to fix serious security flaws affecting computer processors built by Intel and other chipmakers and found in many of the world’s personal computers and smartphones.

The two hardware bugs discovered can be exploited to allow the memory content of a computer to be leaked. Such a leak could potentially expose stored passwords and other sensitive data, including personal photos, emails and instant messages.Researchers at Google’s Project Zero and academic institutions including the Graz University of Technology in Austria discovered the problem last year and disclosed it only a week ago.

There’s no evidence that bad actors have yet exploited the bugs, but companies from Microsoft to Mozilla said this week they have worked to patch up vulnerabilities to their operating systems and browsers to protect against one of the bugs. Researchers say the other is harder to fix and “will haunt us for quite some time.”

Here’s what’s affected, what’s being done about it and whether you should worry:

Intel Inside

Intel is at the center of the problem because it supplies the processors used in many of the world’s PCs. Researchers say one of the bugs, called Meltdown, affects nearly every processor it’s made since the mid-1990s.While security flaws are typically limited to a specific company or product, Intel says the problem is “not a bug or a flaw in Intel products” but rather a broader problem affecting processing techniques common to modern computing platforms. Both the chipmaker and Google, which informed Intel about the vulnerability in June, said they were planning to disclose the issue when fixes will be available. 

Tech companies typically withhold details about security problems until fixes are available so that hackers wouldn’t have a roadmap to exploit the flaws. But in this case, Intel was forced to disclose the problem after the story entered the public domain, causing Intel’s stock to fall.

Most of the immediate fixes will be limited to the Meltdown bug. The other, Spectre, is harder to fix, but also harder to exploit, making it less of an immediate threat to consumer devices.

Other chipmakers

While researchers say the Meltdown bug is limited to Intel processors, they have verified Spectre as a problem for Intel, Advanced Micro Devices and ARM processors. AMD chips are also common in PCs, while ARM chips are found in many smartphones and other internet-connected products, including cars and home appliances. AMD said there is “near zero risk” to its own processors, either because its chips are designed differently, or security fixes for Microsoft Windows and other operating systems will take care of the problem.

ARM Holdings said it’s working with Intel, AMD and operating system vendors to address the problem. The ARM design is also used in Apple’s mobile chips. Apple said that all of its devices are affected, but it’s already made fixes to help defend against Meltdown in laptops and phones and soon plans to release mitigations in the Safari browser to help defend against Spectre.

Securing the Cloud

The bugs also affect cloud-computing services powering much of the internet. These services, offered by Amazon, Microsoft, Google, IBM and others, give smaller companies access to data centers, web hosting and other services they need to run their businesses. But these cloud services also use computers with the same types of problem chips.

Unauthorised access will be difficult to detect so cloud-computing providers need to act quickly to protect against these vulnerabilities, said Ryan Kalember, senior vice president of cyber-security at Proofpoint. The good news, he said, is that major cloud providers have known about this for months and have had time to tackle the problem.

What to do Next?

There are limits to what consumers can do now to protect their computers.Advice from the US Computer Emergency Readiness Team’s was grim. The federal organisation says that “fully removing the vulnerability” requires replacing the hardware already embedded in millions of computing devices.

That’s not to say Nothing can be done.

Consumers can mitigate the underlying vulnerability by making sure they patch up their operating systems with the latest software upgrades. There are already Meltdown patches for Microsoft’s Windows, Apple’s macOS and Linux. Mozilla says it’s also implementing a short-term mitigation that disables some capabilities of its Firefox browser. Google says Android devices are protected if they have the latest security updates.“If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don’t have to worry,” security researcher Rob Graham said in a blog.

“If you aren’t up to date, then there’s a lot of other nasties out there you should probably also be worrying about.”

Kansas City Star:

You Might Also Read: 

Major Chip Flaws Confirmed:

New IoT Chips See, Think & Act Autonomously:

 

« VW and Hyundai To Offer Autonomous Cars
The Top 5 Tech Trends For 2018 »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CYBER 1

CYBER 1

CYBER 1 provides cyber security solutions to customers wanting to be resilient against new and existing threats.

Egis Technology

Egis Technology

Egis specializes in the IC design, research and development, and the testing and sales of capacitive fingerprint sensor.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

KIOS Center of Excellence (KIOS CoE)

KIOS Center of Excellence (KIOS CoE)

KIOS carries out top level research in the area of Information and Communication Technologies (ICT) with emphasis on the Monitoring, Control and Security of Critical Infrastructures.

CERT Tonga

CERT Tonga

CERT Tonga is the national Computer Emergency Response Team for Tonga.

ITonlinelearning

ITonlinelearning

ITonlinelearning specialises in providing professional certification courses to help aspiring and seasoned IT professionals develop their careers.

ArcRan Information Technology

ArcRan Information Technology

ArcRan concentrates on developing comprehensive cybersecurity solutions for smart city applications. We believe that cybersecurity is the fundamental enabler of IoT development.

Brookcourt Solutions

Brookcourt Solutions

Brookcourt Solutions delivers cyber security, network monitoring technologies and managed security services to help secure and protect your organisation’s critical infrastructure.

Stronger International

Stronger International

Stronger International provides expert cyber services and training to organizations and individuals to enhance IT and security knowledge.

Blacksands

Blacksands

Blacksands is a leader in network architecture, identity & services management, threat analysis, industrial IoT architecture, and invisible dynamic networks.

Theori

Theori

Theori tackles the most difficult cybersecurity challenges from an attacker’s perspective and conquers them as the best strategic security experts.

RightSec

RightSec

RightSec is an emerging market leader and solution provider for cybersecurity and digital resiliency. We provide end to end solutions to suit your specific business lifecycle.

Dev Information Technology (Dev IT)

Dev Information Technology (Dev IT)

Dev IT delivers digital transformation and end-to-end information technology services.

Deimos

Deimos

Deimos is a technology, cloud, hybrid and multi-cloud focused, professional services company. Our expertise and focus is on cloud native Developer and Security Operations.

Krash Consulting

Krash Consulting

Krash Consulting is a premier provider of Cyber Security solutions, offering a range of services to safeguard businesses against cyber-attacks, minimize fraud, and protect brand reputation globally.

DeepSurface Security

DeepSurface Security

DeepSurface is the first risk-based vulnerability management platform that allows cybersecurity teams to automate the process of analyzing and prioritizing vulnerabilities.