Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/3/2018
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Critical Microprocessor Flaws Affect Nearly Every Machine

Researchers release details of 'Meltdown' and 'Spectre' attacks that allow programs to steal sensitive data.

[UPDATED 1/4/2018 7:00AM ET with Microsoft comment and emergency patch information].

After a day of speculation over a reported design flaw in Intel processors, security researchers came clean late today with full disclosure of a new and widespread class of attack that affects most computers worldwide.

Researchers from Google's Project Zero Team, Cyberus Technology, Graz University of Technology, University of Pennsylvania and the University of Maryland, Rambus, and University of Adelaide and Data61, all discovered critical flaws in a method used by most modern processors for performance optimization that could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails, for example. The vulnerabilities affect CPUs from Intel, AMD, and ARM, according to Google.

The two attacks, called Meltdown and Spectre, can be executed on desktop machines, laptops, mobile devices, and in cloud environments. That means an attacker could steal information from other cloud customers' systems, for example.

Meltdown allows user applications to pilfer information from the operating system memory, as well as secret information of other programs. "If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure," the researchers wrote in an FAQ about the attacks. "Luckily, there are software patches against Meltdown," referring to Linux, Windows, and OS X updates (not all of which are yet available, however).

Most Intel processors since 1995 are affected by Meltdown, with the exception of Intel Itanium and Intel Atom prior to 2013). Only Intel processors are confirmed to be affected by it so far.

Spectre forces an application to share its secrets, and is a more difficult attack to pull off. According to the researchers, application "safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre." It affects Intel, AMD, and ARM processors on desktops, laptops, cloud servers, and smartphones.

"Both attacks use side channels to obtain the information from the accessed memory location," the researchers said.

The researchers say they don't know if the exploits have been used in the wild. 

Google senior security engineer Matt Linton, and technical program manager Pat Parseghian in  a blog post  today said Google went public with the vulns in advance of the planned January 9 coordinated disclosure date for all affected vendors "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."

Microsoft released an emergency patch for Windows  late in the evening, after providing this statement in response to the disclosure: "We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."

Intel earlier in the day issued a statement, noting that it "believes these exploits do not have the potential to corrupt, modify or delete data." The chip vendors said it has been providing software and firmware updates to mitigate the attacks, and reports of peformance degradation won't "be significant" for the average use and "will be mitigated over time."

ARM issued a statement as well, noting that "The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism."

Amazon also issued a statement: "This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications," Amazon said.

But fair warning: those updates protect AWS's underlying infrastructure only. Full protection requires the operating systems also be patched, Amazon noted.  

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MelBrandle
50%
50%
MelBrandle,
User Rank: Moderator
7/18/2018 | 10:13:28 PM
Re: Simple Solution
This is highly worrying but somehow rather expected too. As long as you are connected to the internet, your device remains in a vulnerable state. You can install preventive softwares but they can only do so much. Let's just hope the sensitive data that you have remains safe with the latest upgrades that you need to regularly update to avoid becoming an easy target.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/5/2018 | 8:33:12 AM
Simple Solution
I read this morning that there is a simple solution here and it is so in theory.  REPLACE EVERYTHING.  With what i do not know but JUST REPLACE EVERY COMPUTER EVERYWHERE.  Remember too we are talking servers, data center machines, peripherals --- just replace.  Consider the impact!!!!!!   And if you accept this premise --- replace with, eh ---- WHAT precisely?????  No new technologies that I have heard of discussed so far.  Just PATCH PATCH AND PATCH and be careful out there. 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/4/2018 | 2:26:09 PM
Re: Something missing from article
Agree - and many patches are due to be released by damn near everybody so I can see a trend that any software that accesses the processor (define now - everything) can be a source of penetration.  What really disturbs me (my 8088 rants aside) is that it has taken YEARS for somebody to notice this one.  We now have decade or longer vulnerability ranges which is terrifying.  
RalphDaly28
50%
50%
RalphDaly28,
User Rank: Apprentice
1/4/2018 | 1:03:18 PM
Something missing from article
What I havent' seen explictly in the articles I have read about this is the nature of the programs that can execute this attack. For instance, can viewing a web page execute the attack? Or does it require that an actual EXE be executed on the machine? The reports I have seen so far imply that it an attack would require a program to execute on an affected machine. But it is implied only.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/4/2018 | 10:57:12 AM
Re: Something to be said for the 8088
Asking alot of this community, but there was some really fun stuff for that ancient sys.  KINGDOM OF KROZ and variants were wonderful games.  The screen MENU programs were delightful in simplicity and I sitll enjoyed old Word Perfect 4.2 as well.  How many of us cut our teeth on LOTUS 1-2-3.  You could do great stuff on these old platforms. 
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
1/4/2018 | 10:38:31 AM
Something to be said for the 8088
I am sorry to an extent that I no longer own my trusty clone IBM XT system, that 8088 was indeed secure and back in 1985 malware written for DOS 6.22 was indeed rare.  Internet barely exists and I used Compuserve (EasyPlex email) to communicate with the outside world.  Inter-system connect was through PROCOMM (ah, there was a good product).   Times change and not necessarily for the better. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25821
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-3130
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
CVE-2020-3133
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
CVE-2020-3135
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...
CVE-2020-3137
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...