20-year-old Chip Vulnerability
A chip vulnerability exposed independently four different research groups, has shocked one of the biggest chip manufactures in the world. These security flaws have been exposed in the last few days and as the chip manufactures rush to fix the issues, it is worth looking at exactly what the problems are.
Researchers discovered gaps in security in the CPUs from most of the major manufactures: Intel, ARM and AMD. The vulnerability leaves devices using these chips – including PCs, mobiles, servers etc open to attacks by hackers, potentially exposing data. The three researchers from the small Austrian city of Graz managed to expose snippets from web browsing history and text from private email conversations.
There are actually two security flaws: Meltdown and Spectre. Meltdown affects PC and servers with Intel chips and Spectre affects mobiles, tablets and PCs powered by Intel, ARM and AMD.
Meltdown breaks the most fundamental isolation between user applications and the operating system.
This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
Spectre breaks the isolation between different applications.
It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets.
In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
However, it is possible to prevent specific known exploits based on Spectre through software patches.
Has Meltdown or Spectre been abused in the wild?
So far there is no evidence of these flaws being used, but now they are know the race is on. There will be those fixing the issue and those trying to exploit it.
Naturally, the best defence is to keep all devises updated with the latest patches. Apple, Linux and Microsoft are providing updates to try and mitigate these vulnerabilities.
In the medium-term, fixes of the flaws could slow down computers by as much as thirty per cent. The launch of new chips from the manufacturers will be some time off as they attempt to deal with the design issues.