Cybersecurity: Meltdown, Spectre bug could affect millions of Intel chips

Security researchers on Wednesday disclosed a set of security flaws that they said could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel Corp, Advanced Micro Devices Inc and ARM Holdings, Reuters reported.
On Wednesday evening, a large team of researchers at Google’s Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies including Cyberus and Rambus together released the full details of two attacks based on that flaw, which they call Meltdown and Spectre.
Although both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory, while Spectre steals data from the memory of other applications running on a machine. And while the researchers say that Meltdown is limited to Intel chips, they say that they’ve verified Spectre attacks on AMD and ARM processors, as well.
The researchers said Apple Inc and Microsoft Corp had patches ready for users for desktop computers affected by Meltdown. Microsoft declined to comment and Apple did not immediately return requests for comment.
Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it “probably one of the worst CPU bugs ever found” in an interview with Reuters.
Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches. Spectre, the broader bug that applies to nearly all computing devices, is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, he said.
Speaking on CNBC, Intel’s Krzanich said Google researchers told Intel of the flaws “a while ago” and that Intel had been testing fixes that device makers who use its chips will push out next week. Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on Jan. 9. Google said it informed the affected companies about the “Spectre” flaw on June 1, 2017 and reported the “Meltdown” flaw after the first flaw but before July 28, 2017.
Intel, whose processors were the focus of an initial report from The Register, said that both ARM and AMD, as well as several operating system vendors, have been notified of the vulnerability. It also reported that the updates to fix the problems could causes Intel chips to operate 5 percent to 30 percent more slowly. The flaw was first discovered by Google’s Project Zero security team, says Intel, which Google confirmed. Two names, Spectre and Meltdown, are also being used to identify the vulnerabilities.
Intel said that it would issue its own microcode updates to address the issue, and over time some of these fixes will be rolled into hardware.
ARM spokesman Phil Hughes said that patches had already been shared with the companies’ partners, which include many smartphone manufacturers.
“This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory,” Hughes said in an email.
AMD chips are also affected by at least one variant of a set of security flaws but that it can be patched with a software update. The company said it believes there “is near zero risk to AMD products at this time.”
Google said in a blog post that Android phones running the latest security updates are protected, as are its own Nexus and Pixel phones with the latest security updates. Gmail users do not need to take any additional action to protect themselves, but users of its Chromebooks, Chrome web browser and many of its Google Cloud services will need to install updates.
The companies had planned to make the disclosure next week when the patches became available. Intel said it was commenting in advance because of what it called “current inaccurate media reports,” though nothing in its statement denied those reports. The company released a statement to the media, then followed up with a conference call.
“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” Intel said. “Intel believes these exploits do not have the potential to corrupt, modify or delete data”, the statement reported.