Intel Acknowledges Chip-Level Security Vulnerability In Processors

Ajustar Comentario Impresión

The Register reports that "Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system". Unusually, the exploit, called Meltdown, takes advantage of the processors' hardware rather than a software flaw, so it circumvents security schemes built into major operating systems.

Unauthorized access will be hard to detect so cloud-computing providers need to act quickly to protect against these vulnerabilities, said Ryan Kalember, senior vice president of cybersecurity at Proofpoint. Intel chips dating as far back as a decade are in jeopardy.

Intel disputed that most users would see any difference in their machine's speed or capability. The attack therefore allows a program to access the memory and other secrets of programs and the operating system.

There has also been a dispute about how patches will affect computer performance.

The issue is particularly hard to resolve because most cybersecurity vulnerabilities happen on software, which is easier to fix than hardware flaws.

However, rising speculation about the severity of the issue - including potential performance impacts on servers and public cloud environments - forced it to go public sooner.

Spectre is a bug that breaks the isolation between different applications.

Again, this is good practice against any type of hacker attack.

Spectre is tougher to exploit than Meltdown, but its effects are more pervasive.

It has issued guidance about Meltdown and Spectre, including advice on what people can do to protect themselves.

Last year, Google's Project Zero team discovered serious flaws caused by a technique that is used by CPUs to optimise performance.

So, how long has the industry known about the vulnerability?

How big is the risk?

Intel Chief Executive Officer Brian Krzanich told CNBC that a researcher at Google made Intel aware of the issue "a couple of months ago".

Aside from applying the relevant patch, the only other solution is to buy a brand-new processor which isn't blighted by the bug now Intel has ironed it out - not exactly a practical prospect for most folks (unless you were mulling over pulling the trigger on a CPU upgrade anyway).

But Paul Kocher - security technology advisor at Rambus - said in an email to CNBC that AMD is indeed vulnerable to at least one of the threats discovered, the so-called "Spectre" vulnerability. In essence, it allows a program to access memory (which it otherwise shouldn't have privilege to access), giving it the opportunity to spy on data associated with other programs and the operating system itself. "Think passwords, private keys, credit card data".

While Microsoft is quickly addressing the issues, the fixes will also rely on firmware updates from Intel, AMD, or other vendors that are rolling out. "We are in the process of deploying mitigations to cloud services and released security updates on January 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD", the company said. Intel's microprocessors are used in the majority of the world's PCs and many servers that underpin cloud and web hosting services - such as Amazon Web Services. Those are already starting to become available for Linux and Windows 10.

Makers of those operating systems are racing to roll out a fix, according to The Register, which first reported the effort Tuesday.

Google said that all products have been updated but that a new security update, dated 5 January, will be released. In a post on its website, Apple said updates to its operating systems for iPhones (iOS 11.2), Macs (macOS 10.13.2), and Apple TVs (tvOS 11.2) would defend against Meltdown.

Mozilla also notified its users that it might have been swept up in the attack and said it was updating its Firefox browser to try and circumvent the risk. "Speculative execution" has been a cornerstone of Intel processor architecture since 1995, affecting hundreds of millions of chips.