We all want to feel our computers are protected with the latest virus software. Protected behind a firewall. We would have never thought that the very chip that controls our computer would be flawed, the CPU. Even as Second Life users, we ALL use a computer to login, smart phones / tablets, and other devices that use one of the major processors listed.
Two major flaws in computer chips could leave a huge number of computers and smartphones vulnerable to security concerns, researchers revealed Wednesday. And a U.S. government-backed body warned that the chips themselves need to be replaced to completely fix the problems.
The flaws could allow an attacker to read sensitive data stored in the memory, like passwords, or look at what tabs someone has open on their computer, researchers found. Daniel Gruss, a researcher from Graz University of Technology who helped identify the flaw, said it may be difficult to execute an attack, but billions of devices were impacted.
Called Meltdown and Spectre, the flaws exist in processors, a building block of computers that acts as the brain. Modern processors are designed to perform something called “speculative execution.” That means they predict what tasks they will be asked to execute and rapidly access multiple areas of memory at the same time. That data is supposed to be protected and isolated, but researchers discovered that in some cases, the information can be exposed while the processor queues it up.
Researchers say almost every computing system — desktops, laptops, smartphones, and cloud servers — is affected by the Spectre bug. Meltdown appears to be specific to Intel (INTC) chips. “More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors,” the researchers said.
Apple users haven’t been spared in the great computer chip debacle. The U.S. tech giant has confirmed that all its iPhones, iPads and Mac computers are affected by two recently disclosed processor flaws called Spectre and Meltdown.
Here’s the issue: Modern processors are designed to perform something called “speculative execution” to enhance performance. Data is supposed to be protected and isolated, but researchers discovered that in some cases, the information can be exposed while the processor queues it up.
Intel (INTC) said that “for the average user,” the performance impact on products using the processors from the last five years “should not be significant and will be mitigated over time.”
The bigger challenge appears to be for companies that deal with a lot of network traffic and considerable processing power — things like cloud computing providers, retailers that process consumer transactions and medical systems that crunch data.
Read the report of how Google’s Project Zero found this flaw: Project Zero
A message from Mozilla regarding the browser Firefox: Mozilla
A message from Arm Processors (Arm Chips): Arm Processors
A message from AMD: AMD Processors
A message from Intel: Intel
Google’s Cloud Platform has been updated to prevent the vulnerabilities, the company said.
Amazon (AMZN) said in a statement most of its cloud computing machines affected by the flaw are already protected, but it was updating the rest on Wednesday.
Apple (AAPL) revealed Thursday that all its Mac and iOS devices were affected by the flaws, but said that “there are no known exploits impacting customers at this time.” The company has already released some fixes for Meltdown, and will release others for Spectre in subsequent updates.
What is being recommended:
1. Update your software!
Spectre is the main threat because it is present in billions of devices. Meltdown appears to affect only Intel chips. The U.S. government-funded Software Engineering Institute initially said vulnerable chips may eventually have to be replaced altogether. It subsequently updated its guidance to say that software updates can provide a partial fix for now.
Intel says it is working with AMD and ARM to fix the problem, and many tech firms have already released — or are about to release — software updates to secure their devices.
Microsoft has already released security updates for Windows users, and is taking steps to protect users of its cloud computing services. Google and Amazon are also updating their cloud services.
Apple said Thursday that it had already issued fixes for Meltdown for its various operating systems, and added that it plans to release similar fixes in its Safari browser “to help defend against Spectre” in the coming days.
“We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS,” Apple said.
Dell (DVMT) said it was “working with Intel and others in the industry to investigate and address the issue.” It directed customers to Intel’s statement, and said it would post “a list of affected platforms and remediation” soon.
2. Brace yourself for slower devices
An unfortunate downside of the software updates is that they might slow your computers and smartphones.
Patches deployed to combat the flaws could slow computers by as much as 30% depending on what you’re trying to do, according to estimates posted on Linux message boards.
Intel said it does not expect users to experience any performance issues. Experts disagree.
“Processor slowdowns trickle down from data centers to everyone using the internet,” said Bryce Boland, chief technology officer for Asia at cybersecurity firm FireEye. “People will feel many of their mobile devices taking a performance hit.”
Chamarty says removing the vulnerability requires a fundamental change in the way modern processors operate — a function called “speculative execution” — a change that could drastically reduce speeds. “If you’re going to disable this, then you’re back to … many, many years ago, we’re talking 10 years,” he added. “Imagine running at those speeds now.”