Security flaws in virtually all phone and computer chips 'one of the worst CPU bugs ever found'

Software fixes are being released to mitigate the flaws, which could be used to steal private data

Security researchers disclosed a set of flaws Wednesday that they said could let hackers steal sensitive information from almost every modern computing device containing chips from Intel, AMD and ARM.

One of the bugs is specific to Intel, but another affects laptops, desktop computers, smartphones, tablets and internet servers alike. Intel and ARM insisted that the issue was not a design flaw, but it will require users to download a patch and update their operating system to fix. 

"Phones, PCs, everything are going to have some impact, but it'll vary from product to product," Intel chief executive Brian Krzanic said in an interview with CNBC Wednesday afternoon.

Researchers with Alphabet's Google Project Zero, in conjunction with academic and industry researchers from several countries, discovered two flaws.

Meltdown and Spectre

The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory and steal passwords.

The second, called Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.

The researchers said Apple and Microsoft had patches ready for users for desktop computers affected by Meltdown. Microsoft declined to comment and Apple did not immediately return requests for comment.

Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it "probably one of the worst CPU bugs ever found" in an interview with Reuters. 

Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches.

Spectre, the broader bug that applies to nearly all computing devices, is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, he said.

Details leaked ahead of schedule

Speaking on CNBC, Intel's Krzanich said Google researchers told Intel of the flaws "a while ago" and that Intel had been testing fixes that device makers who use its chips will push out next week. Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on Jan. 9.

Google said it informed the affected companies about the Spectre flaw on June 1, 2017 and reported the Meltdown flaw after the first flaw but before July 28, 2017.

The flaws were first reported by tech publication The Register. It also reported that the updates to fix the problems could cause Intel chips to operate five to 30 per cent more slowly.

Intel denied that the patches would bog down computers based on Intel chips.

"Intel has begun providing software and firmware updates to mitigate these exploits," Intel said in a statement.

"Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."

ARM spokesman Phil Hughes said that patches had already been shared with the companies' partners, which include many smartphone manufacturers. 

"This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory," Hughes said in an email.

AMD chips are also affected by at least one variant of a set of security flaws but that it can be patched with a software update. The company said it believes there "is near zero risk to AMD products at this time." 

Software patches coming

Google said in a blog post that Android phones running the latest security updates are protected, as are its own Nexus and Pixel phones with the latest security updates. Gmail users do not need to take any additional action to protect themselves, but users of its Chromebooks, Chrome web browser and many of its Google Cloud services will need to install updates. 

Amazon Web Services, a cloud computing service used by businesses, said that most of its internet servers were already patched and the rest were in the process of being patched. 

The defect affects the so-called kernel memory on Intel x86 processor chips manufactured over the past decade, The Register reported citing unnamed programmers, allowing users of normal applications to discern the layout or content of protected areas on the chips.

That could make it possible for hackers to exploit other security bugs or, worse, expose secure information such as passwords, thus compromising individual computers or even entire server networks.

Dan Guido, chief executive of cyber security consulting firm Trail of Bits, said that businesses should quickly move to update vulnerable systems, saying he expects hackers to quickly develop code they can use to launch attacks that exploit the vulnerabilities.

"Exploits for these bugs will be added to hackers's standard toolkits," said Guido.

Shares in Intel were down by 3.4 per cent Wednesday following the report but nudged back up to $44.70 US in after-hours trading. Shares in AMD were up one per cent to $11.77, shedding many of the gains they had made earlier in the day when reports suggested its chips were not affected.

It was not immediately clear whether Intel would face any significant financial liability arising from the reported flaw.

"The current Intel problem, if true, would likely not require CPU replacement in our opinion. However the situation is fluid," Hans Mosesmann of Rosenblatt Securities in New York said in a note, adding it could hurt the company's reputation.

Reference http://www.cbc.ca/

Security flaws in virtually all phone and computer chips 'one of the worst CPU bugs ever found'

Rush to fix 'serious' computer chip flaws

Tech firms are working to fix two major bugs in computer chips that could allow hackers to steal sensitive data.

The bugs are an "absolute disaster" and need to be fixed promptly, according to one cyber-security researcher.

Google researchers said one of the "serious security flaws", dubbed "Spectre", was found in chips made by Intel, AMD and ARM.

The other, known as "Meltdown" affects Intel-made chips and one recent ARM chip.

The industry has been aware of the problem for months and hoped to solve it before details were made public.

The UK's National Cyber Security Centre (NCSC) said there was no evidence that the vulnerability had been exploited.

It has issued guidance about Meltdown and Spectre, including advice on what people can do to protect themselves.

According to the researchers who found the bugs, chips dating as far back as 1995 have been affected.

Some fixes, in the form of software updates known as patches, have been introduced or will be available in the next few days, said Intel, which provides chips to about 80% of desktop computers and 90% of laptops worldwide.

"These bugs are an absolute disaster," said Matthew Hickey, a cyber-security expert at Hacker House.

While some computers can be patched quickly, others faced a longer wait, he explained, giving virtual hosting systems as one example.

"You may find that patches aren't yet available," he told the BBC.

Microchips are the basic electronic systems behind many devices such as computers and mobile phones.

In order to do their work, they must move data around, using different types of memory to temporarily store it.

In many cases, that information is supposed to be secure from attempts to snoop on it, but these two bugs mean that it could in fact be accessed by a third party.

The first reports suggested that a bug affected solely chips made by Intel, but it has since emerged that a separate flaw, Spectre, has been found in Intel, ARM and AMD chips.

"Many types of computing devices - with many different vendors' processors and operating systems - are susceptible to these exploits," said Intel.

ARM said patches had already been shared with its customers, which include many smartphone manufacturers.

AMD said it believed there was "near zero risk to AMD products at this time".

Security updates

On a conference call for investors, Intel said researchers had shown that hackers could exploit the Meltdown vulnerability, gaining the ability to read memory and potentially access information such as passwords or encryption keys on devices.

Microsoft, which uses Intel chips said it would roll out security updates on Thursday, adding it had no information suggesting any data had been compromised.

Apple's latest macOS, version 10.13.2, is safe from the Meltdown bug and the firm is working on updates for earlier versions of the operating system on its laptops and desktops.

As for Spectre, however, experts believe that it will not be possible to patch it directly, but various software tweaks could help stop it being exploited.

Google published a blog detailing what some customers may need to do. It said Android phones with the latest security updates were protected, and that Gmail was safe. It will be releasing security patches for users of older Chromebooks, while there will also be a fix for users of the Chrome web browser.

The NCSC said it was aware of the reports of the potential flaw and advised that all organisations and home users "continue to protect their systems from threats by installing patches as soon as they become available."

When asked whether hackers will make use of the bugs to attack computers, experts advised caution on the issue.

"It is significant but whether it will be exploited widely is another matter," said Prof Alan Woodward, from the University of Surrey.

Reference http://www.bbc.com

Rush to fix 'serious' computer chip flaws