Major Chip Flaws Confirmed

News of a major vulnerability in Intel chips is much worse than first feared, with researchers confirming three variants affecting multiple CPU hardware implementations, dubbed “Meltdown” and “Spectre”.

Both can be described as “side channel” attacks which allow attackers to steal passwords, customer data, IP and more stored in the memory of programs running on a victim’s machine.

They work across PCs, mobile devices and in the cloud, the latter scenario is particularly worrying as it could theoretically allow an attacker in a guest VM to steal data from other customers’ VMs on the same public cloud server. The previously disclosed issue has been named Meltdown and relates to CVE-2017-5754, a bug which “melts” the security boundaries normally enforced at the chip level to allow normal applications to read the contents of private kernel memory, according to the researchers.

It affects every Intel processor which implements “out-of-order execution”: effectively every processor since 1995, except Itanium and Intel Atom before 2013. It also affects certain Arm cores, although AMD chips are not thought to be affected.
Patches are available for Linux, Windows and OS X to mitigate Meltdown.

On the cloud provider side, those using Intel CPUs and XenPV as virtualisation are affected, as well as those relying on containers that share one kernel, such as Docker, LXC and OpenVZ. Patches are coming or are already here from Microsoft, Google, Amazon and others.

Spectre is arguably the more dangerous of the two threats as it is harder to mitigate, although it has also been described as harder to exploit.

It relates to bounds check bypass bug CVE-2017-5753 and branch target injection flaw CVE-2017-5715 and affects Intel, Arm and AMD chips in “almost every system” in the desktop, laptop, cloud server and smartphone space.
The researchers explained Spectre and Meltdown as follows:

“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory.
“Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”

There are currently no known effective fixes for Spectre, although work is being done to “patch software after exploitation through Spectre.”

In fact, the US-CERT claimed that the only way to fix the issues for certain is to replace the CPU hardware altogether, not an option at this stage until more secure chips are architected.

There are also concerns that the patches which are being developed may cause systems to slow down, although many admins may not have a choice in the matter. Researchers claimed that, unlike normal malware, Meltdown and Spectre are hard to distinguish from regular apps so are unlikely to be spotted by AV tools.

“However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known”, they added.

Affected firms including chip, browser, OS and cloud vendors were working behind the scenes on fixes for the issues before the news was broken in a media report earlier this week. That seems to have accelerated patching plans.

The British National Cyber Security Centre (NCSC) claimed in a statement that it had seen “no evidence of any malicious exploitation” and advised users and IT admins to install patches as soon as they are made available.

The reports that Intel CEO Brian Krzanich netted $25m from the excerise of his share options in the company prior to news of the chipmakers' products vulneralibity becoming widely known is remeniscent of management behaviour at Equifax where some senior executives have been accused of benefiting financially from a coverup of a major data breach. 

An Intel spokeswoman has been reported to say that Krzanich's decision to sell the shares was unrelated to the security vulnerability disclosed.

Infosecurity Magazine

You Might Aso Read:

New IoT Chips See, Think & Act Autonomously:

A Strategic Company: The Internet of Things & How ARM Fits In:
 

« FBI Fingerprint Software Might Contain Russian code
UK Cybersecurity Firm Sophos Is Trouncing Silicon Valley »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Intelligence-sec

Intelligence-sec

Intelligence-Sec is a fully integrated Conferences and Exhibitions Company managing and producing topical events for the security industry.

Identity Automation

Identity Automation

Identity Automation is a leading provider of Identity and Access Management software.

AET Europe

AET Europe

AET Europe is specialised in creating technological solutions for user identification and authentication.

Referentia

Referentia

Referentia leads the development of critical infrastructure solutions that benefit society, including cyber security and network performance management.

Unitrends

Unitrends

Unitrends helps IT pros do more with less by providing an all-in-one enterprise backup and continuity solution.

IoT Defense

IoT Defense

IoT Defense (IOTD) is a cybersecurity and networking company building solutions that enable the protection of networks and the ever-increasing prevalence of IoT devices.

Cynamics

Cynamics

Cynamics is the only network monitoring solution built specifically for Smart City, Public Safety and Critical Infrastructure networks.

Greylock Partners

Greylock Partners

Greylock Partners is a leading venture capital firm based in Silicon Valley. We invest in all sectors of enterprise software technology including applications, cloud/SaaS, networking and security.

Cambridge Cybercrime Centre

Cambridge Cybercrime Centre

The Cambridge Cybercrime Centre is a multi-disciplinary initiative combining expertise from the Department of Computer Science and Technology, Institute of Criminology and Faculty of Law.

Adyta

Adyta

Adyta specializes in cybersecurity solutions adapted to the needs of sovereign institutions, business groups and other organizations that handle information and sensitive or classified data.

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV) is a 6000+ members angel investing firm which supports new-age entrepreneurs by connecting them with a diverse group of investors.

Nitel

Nitel

Nitel is a leading next-generation technology services provider. We simplify the complex technology challenges of today’s enterprises to create seamless and integrated managed network solutions.

DruvStar

DruvStar

DruvStar provides B2B cybersecurity around threat management to strengthen businesses across attack vectors.

Quod Orbis

Quod Orbis

Quod Orbis are a fast-growing, innovative company providing market-leading expertise in cyber security and Continuous Controls Monitoring (CCM).

Hack-X Security

Hack-X Security

Hack-X Security provide IT risk assessment and Digital Security Services. We are a trusted standard for businesses that must protect their data from cyber-attacks.

Secure Cyber Management

Secure Cyber Management

Secure Cyber Management provides industry-leading cloud security advice, guidance and services.