Inside the Intel Chip Security Problem

Uploaded on 2018-01-16 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Technology companies are  still scrambling to fix serious security flaws affecting computer processors built by Intel and other chipmakers and found in many of the world’s personal computers and smartphones.

The two hardware bugs discovered can be exploited to allow the memory content of a computer to be leaked. Such a leak could potentially expose stored passwords and other sensitive data, including personal photos, emails and instant messages.Researchers at Google’s Project Zero and academic institutions including the Graz University of Technology in Austria discovered the problem last year and disclosed it only a week ago.

There’s no evidence that bad actors have yet exploited the bugs, but companies from Microsoft to Mozilla said this week they have worked to patch up vulnerabilities to their operating systems and browsers to protect against one of the bugs. Researchers say the other is harder to fix and “will haunt us for quite some time.”

Here’s what’s affected, what’s being done about it and whether you should worry:

Intel Inside

Intel is at the center of the problem because it supplies the processors used in many of the world’s PCs. Researchers say one of the bugs, called Meltdown, affects nearly every processor it’s made since the mid-1990s.While security flaws are typically limited to a specific company or product, Intel says the problem is “not a bug or a flaw in Intel products” but rather a broader problem affecting processing techniques common to modern computing platforms. Both the chipmaker and Google, which informed Intel about the vulnerability in June, said they were planning to disclose the issue when fixes will be available. 

Tech companies typically withhold details about security problems until fixes are available so that hackers wouldn’t have a roadmap to exploit the flaws. But in this case, Intel was forced to disclose the problem after the story entered the public domain, causing Intel’s stock to fall.

Most of the immediate fixes will be limited to the Meltdown bug. The other, Spectre, is harder to fix, but also harder to exploit, making it less of an immediate threat to consumer devices.

Other chipmakers

While researchers say the Meltdown bug is limited to Intel processors, they have verified Spectre as a problem for Intel, Advanced Micro Devices and ARM processors. AMD chips are also common in PCs, while ARM chips are found in many smartphones and other internet-connected products, including cars and home appliances. AMD said there is “near zero risk” to its own processors, either because its chips are designed differently, or security fixes for Microsoft Windows and other operating systems will take care of the problem.

ARM Holdings said it’s working with Intel, AMD and operating system vendors to address the problem. The ARM design is also used in Apple’s mobile chips. Apple said that all of its devices are affected, but it’s already made fixes to help defend against Meltdown in laptops and phones and soon plans to release mitigations in the Safari browser to help defend against Spectre.

Securing the Cloud

The bugs also affect cloud-computing services powering much of the internet. These services, offered by Amazon, Microsoft, Google, IBM and others, give smaller companies access to data centers, web hosting and other services they need to run their businesses. But these cloud services also use computers with the same types of problem chips.

Unauthorised access will be difficult to detect so cloud-computing providers need to act quickly to protect against these vulnerabilities, said Ryan Kalember, senior vice president of cyber-security at Proofpoint. The good news, he said, is that major cloud providers have known about this for months and have had time to tackle the problem.

What to do Next?

There are limits to what consumers can do now to protect their computers.Advice from the US Computer Emergency Readiness Team’s was grim. The federal organisation says that “fully removing the vulnerability” requires replacing the hardware already embedded in millions of computing devices.

That’s not to say Nothing can be done.

Consumers can mitigate the underlying vulnerability by making sure they patch up their operating systems with the latest software upgrades. There are already Meltdown patches for Microsoft’s Windows, Apple’s macOS and Linux. Mozilla says it’s also implementing a short-term mitigation that disables some capabilities of its Firefox browser. Google says Android devices are protected if they have the latest security updates.“If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don’t have to worry,” security researcher Rob Graham said in a blog.

“If you aren’t up to date, then there’s a lot of other nasties out there you should probably also be worrying about.”

Kansas City Star:

You Might Also Read: 

Major Chip Flaws Confirmed:

New IoT Chips See, Think & Act Autonomously:

 

« VW and Hyundai To Offer Autonomous Cars
The Top 5 Tech Trends For 2018 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

AhnLab

AhnLab

AhnLab provides a range of information security solutions including network security, endpoint security, antivirus and consulting services.

Ceerus

Ceerus

Ceerus was created to simplify the process of deploying and managing security across all the channels in an organisation.

Onward Security

Onward Security

Onward Security provides security solutions including network & application assessment, product security testing and security consulting services.

GreyNoise Intelligence

GreyNoise Intelligence

GreyNoise Intelligence is a cyber security company that collects, labels, and analyzes Internet-wide scan and attack data.

Newberry Group

Newberry Group

The Newberry Group provides comprehensive IT services and solutions that optimize operations, minimize risk and deliver measurable business value.

Red River

Red River

Red River is a technology transformation company, bringing 25 years of experience and mission-critical expertise in analytics, cloud, collaboration, mobility, networking and security solutions.

Vulcan Cyber

Vulcan Cyber

At Vulcan, we’re modernizing the way enterprises reduce their cyber risk. From detection to resolution, we automate and orchestrate the vulnerability remediation process dynamically and at scale.

Wolverhampton Cyber Research Institute (WCRI)

Wolverhampton Cyber Research Institute (WCRI)

Wolverhampton Cyber Research Institute builds on the strength of its members in the area of network and communication security, artificial intelligence, big data and cyber physical systems.

UST

UST

UST is a global provider of digital technology and transformation, IT services and solutions including managed security services.

Testhouse Ltd

Testhouse Ltd

Testhouse is a thought leader in the Quality Assurance, software testing and DevOps space. Founded in the year 2000 in London, UK, with a mission to contribute towards a world of high-quality software

EasyDMARC

EasyDMARC

EasyDMARC deliver the most comprehensive product for anyone who strives to build the most secure possible defence system for their email ecosystem.

Summit 7 (S7)

Summit 7 (S7)

Summit 7 is a national leader in cybersecurity, compliance, and managed services for the Aerospace and Defense industry and corporate enterprises.

Communications Fraud Control Association (CFCA)

Communications Fraud Control Association (CFCA)

CFCA is the premier International Association for fraud risk management, fraud prevention and profitability control.

Brunswick Group

Brunswick Group

Brunswick is a critical issues firm. We advise the world’s leading companies on how to navigate the critical issues they face and engage with their critical stakeholders.

Emircom

Emircom

Emircom is one of the Middle East's leading independent providers of IT infrastructure services, helping clients to drive growth and deliver measurable outcomes.

Academia the Technology Group

Academia the Technology Group

Academia specialise in the supply of software, IT hardware, training and service solutions to the public sectors, business and pro media markets.