Google's Project Zero team last June found two kernel flaws, codenamed Spectre and Meltdown that could allow hackers to gain access to sensitive information like passwords or photos stored in a PC's protected memory or cloud server. These vulnerabilities impact Windows, Linux, iOS, macOS, tvOS, and Android devices. At the centre of all this is Intel as it produces processors for a majority of computing devices around the world.
It has been discovered that a performance feature called speculative execution present on nearly all modern computing system to optimise performance. The techniques essentially makes the computer speculate which command or path to take. This, however, requires access to protected kernel memory, which hackers can exploit through malicious programs.
Project Zero also said that in order to exploit the vulnerability, the attacker will need access to the machine and should be able to run a malicious app. Apple has also stated that an attacker will need to run a malicious app on the iOS or macOS device to exploit the vulnerability, which is why it is urging its users to download apps only through trusted sources such as the App Store.
While Meltdown is said to affect Intel processors manufactured since 1995, Spectre is more widespread in that it is present in ARM and AMD-based devices as well. This means that apart from PCs, Spectre is present in smartphones as well. Apple has admitted this for its iOS devices like the iPhone and iPad. Google's Project Zero team notes that "exploitation has been shown to be difficult and limited on the majority of Android devices."
Apple confirmed that Spectre and Meltdown affects its Mac and iOS devices. It has mitigated Meltdown with iOS 11.2, macOS 10.13.2, and tvOS 11.2 updates, and plans to release mitigations in Safari to defend against Spectre. The company says it hasn't found any reports of the vulnerabilities affecting customers as of now.
Intel CEO Brian Krzanich says that the company is looking to fix the security vulnerabilities via updates and does not see a need for a recall. The company said that 90 per cent of computers released in the last 5 years will have fixes available by the end of next week. While this may seem to be the case for Meltdown, Spectre is a more widespread and deep-rooted flaw and there is no fix for it as of now. The latter is, however, a harder exploit for hackers to carry out.
Companies like Apple, Microsoft, Google and Amazon are working on updates to mitigate the flaws. One of the concerns is that the updates may slow performance but Krzanich has denied this. As of now users can̢۪t do much but update their devices to the latest security patches to mitigate the vulnerabilities. Chip makers will have to redesign future processors that will be protected against the exploits and its variants.
It is hard to tell whether hackers have carrier out attacks through these exploits as neither Spectre nor Meltdown leaves any trace in log files. Most tech companies have said that they have not found any proof of the flaws being used to attack devices.
ARM has claimed that a majority of its processors have not been affected by Spectre or Meltdown. AMD has resolved a variant of Spectre via software and operating system updates, while another variant has "a near zero risk of exploitation" on its processors.
Google has notified that Android devices on the latest security patch are protected. However, as you know, Android updates don't roll out universally for everyone. Most devices, especially older models and budget smartphones are not on the latest security update. This puts many at risk from potential attackers.
Windows 10 users have already received the update KB4056892 earlier this month, while Windows 7 and Windows 8 users will be getting the update next Tuesday. Those using Chrome browser will receive an update on January 23. Firefox users will need to be on version Firefox 57.0.4 to be protected against any attack.
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits.
Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
