Endpoint

1/3/2018
07:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail

Critical Microprocessor Flaws Affect Nearly Every Machine

Researchers release details of 'Meltdown' and 'Spectre' attacks that allow programs to steal sensitive data.



[UPDATED 1/4/2018 7:00AM ET with Microsoft comment and emergency patch information].

After a day of speculation over a reported design flaw in Intel processors, security researchers came clean late today with full disclosure of a new and widespread class of attack that affects most computers worldwide.

Researchers from Google's Project Zero Team, Cyberus Technology, Graz University of Technology, University of Pennsylvania and the University of Maryland, Rambus, and University of Adelaide and Data61, all discovered critical flaws in a method used by most modern processors for performance optimization that could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails, for example. The vulnerabilities affect CPUs from Intel, AMD, and ARM, according to Google.

The two attacks, called Meltdown and Spectre, can be executed on desktop machines, laptops, mobile devices, and in cloud environments. That means an attacker could steal information from other cloud customers' systems, for example.

Meltdown allows user applications to pilfer information from the operating system memory, as well as secret information of other programs. "If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure," the researchers wrote in an FAQ about the attacks. "Luckily, there are software patches against Meltdown," referring to Linux, Windows, and OS X updates (not all of which are yet available, however).

Most Intel processors since 1995 are affected by Meltdown, with the exception of Intel Itanium and Intel Atom prior to 2013). Only Intel processors are confirmed to be affected by it so far.

Spectre forces an application to share its secrets, and is a more difficult attack to pull off. According to the researchers, application "safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre." It affects Intel, AMD, and ARM processors on desktops, laptops, cloud servers, and smartphones.

"Both attacks use side channels to obtain the information from the accessed memory location," the researchers said.

The researchers say they don't know if the exploits have been used in the wild. 

Google senior security engineer Matt Linton, and technical program manager Pat Parseghian in  a blog post  today said Google went public with the vulns in advance of the planned January 9 coordinated disclosure date for all affected vendors "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."

Microsoft released an emergency patch for Windows  late in the evening, after providing this statement in response to the disclosure: "We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."

Intel earlier in the day issued a statement, noting that it "believes these exploits do not have the potential to corrupt, modify or delete data." The chip vendors said it has been providing software and firmware updates to mitigate the attacks, and reports of peformance degradation won't "be significant" for the average use and "will be mitigated over time."

ARM issued a statement as well, noting that "The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism."

Amazon also issued a statement: "This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications," Amazon said.

But fair warning: those updates protect AWS's underlying infrastructure only. Full protection requires the operating systems also be patched, Amazon noted.  

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
1/4/2018 | 10:38:31 AM
Something to be said for the 8088
I am sorry to an extent that I no longer own my trusty clone IBM XT system, that 8088 was indeed secure and back in 1985 malware written for DOS 6.22 was indeed rare.  Internet barely exists and I used Compuserve (EasyPlex email) to communicate with the outside world.  Inter-system connect was through PROCOMM (ah, there was a good product).   Times change and not necessarily for the better. 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/4/2018 | 10:57:12 AM
Re: Something to be said for the 8088
Asking alot of this community, but there was some really fun stuff for that ancient sys.  KINGDOM OF KROZ and variants were wonderful games.  The screen MENU programs were delightful in simplicity and I sitll enjoyed old Word Perfect 4.2 as well.  How many of us cut our teeth on LOTUS 1-2-3.  You could do great stuff on these old platforms. 
RalphDaly28
50%
50%
RalphDaly28,
User Rank: Apprentice
1/4/2018 | 1:03:18 PM
Something missing from article
What I havent' seen explictly in the articles I have read about this is the nature of the programs that can execute this attack. For instance, can viewing a web page execute the attack? Or does it require that an actual EXE be executed on the machine? The reports I have seen so far imply that it an attack would require a program to execute on an affected machine. But it is implied only.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/4/2018 | 2:26:09 PM
Re: Something missing from article
Agree - and many patches are due to be released by damn near everybody so I can see a trend that any software that accesses the processor (define now - everything) can be a source of penetration.  What really disturbs me (my 8088 rants aside) is that it has taken YEARS for somebody to notice this one.  We now have decade or longer vulnerability ranges which is terrifying.  
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/5/2018 | 8:33:12 AM
Simple Solution
I read this morning that there is a simple solution here and it is so in theory.  REPLACE EVERYTHING.  With what i do not know but JUST REPLACE EVERY COMPUTER EVERYWHERE.  Remember too we are talking servers, data center machines, peripherals --- just replace.  Consider the impact!!!!!!   And if you accept this premise --- replace with, eh ---- WHAT precisely?????  No new technologies that I have heard of discussed so far.  Just PATCH PATCH AND PATCH and be careful out there. 
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
7/18/2018 | 10:13:28 PM
Re: Simple Solution
This is highly worrying but somehow rather expected too. As long as you are connected to the internet, your device remains in a vulnerable state. You can install preventive softwares but they can only do so much. Let's just hope the sensitive data that you have remains safe with the latest upgrades that you need to regularly update to avoid becoming an easy target.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15473
PUBLISHED: 2018-08-17
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
CVE-2018-15471
PUBLISHED: 2018-08-17
An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or c...
CVE-2018-6622
PUBLISHED: 2018-08-17
An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can...
CVE-2018-14057
PUBLISHED: 2018-08-17
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
CVE-2018-14058
PUBLISHED: 2018-08-17
Pimcore before 5.3.0 allows SQL Injection via the REST web service API.