Silicon Valley reels after two chip flaws puts world’s computers and smartphones at risk
by Seung Lee, The Mercury News - Silicon Beat
Tech companies around the world are reeling and rushing fixes for two microprocessor flaws that have put nearly all the computing devices in the world at risk from hackers. The flaws — dubbed Meltdown and Spectre — are in chips made from Intel and other major suppliers and can allow hackers to steal data from the memory of running apps including password managers, browsers and emails.
Tech companies around the world are reeling and rushing fixes for two microprocessor flaws that have put nearly all the computing devices in the world at risk from hackers.
The flaws — dubbed Meltdown and Spectre — are in chips made from Intel and other major suppliers and can allow hackers to steal data from the memory of running apps including password managers, browsers and emails. The flaws were first disclosed by British technology news site the Register on Tuesday and made public by the researchers on Wednesday.
Considering the flaws date back more than two decades and Intel chips are ubiquitous among computers, cloud servers and mobile devices, the two flaws affect nearly all computing devices in operation and servers that store memories in the cloud.
Users have little choice except to wait for new software patches from makers of their devices.
Meltdown is exclusive on Intel chips and allows hackers to bypass the hardware barrier between running applications and the computer’s memory, thereby allowing hackers access to the latter. Spectre affects chips made by Intel, AMD and ARM and tricks applications to hand over secret information.
Daniel Gruss, a Austria-based researcher who discovered Meltdown, described it as “probably one of the worst CPU bugs ever found” in an interview with Reuters. Gruss also said Meltdown is the more serious short-term issue and easier to fix than Spectre. Gruss was part of a team of researchers led by Google Project Zero, which seeks to expose vulnerabilities and fix them before hackers exploit them.
The effects of the flaws have rippled through every major computer and cloud server company, including Apple, Microsoft, Google and Amazon.
While the hacking potential through Meltdown and Spectre are enormous, there have been no recorded exploits, according to researchers. However, now that Meltdown and Spectre are public knowledge, the chances may be greater.
Affected companies on Wednesday rushed out statements and fixes against the flaws, offering hope that the issue may be mitigated.
Microsoft rushed out an automatic Windows update on Wednesday. But some Windows users may not be able to get the update due to third-party antivirus applications, according to Microsoft.
“If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor,” said Microsoft in a blog post.
Google, whose Android phones and Chrome browser are vulnerable, announced it will have updated software versions with security patches later this month. New Android software will roll out Jan. 5, and Google Chrome will update Jan. 23, according to Google. The company also alerted users to update their operating systems.
Mozilla, which operates the Firefox browser, announced it will also include updates in its latest version.
Amazon, which runs the popular cloud service Amazon Web Services, announced on Wednesday a single percentage of servers were previously protected and that the rest will be patched later in the day. Like Google, Amazon also asked customers to patch the operating systems they use.
Apple has not publicly announced any patches yet, but researchers have said Apple was working on a patch for macOS against Meltdown.
Intel, ARM and AMD bore the brunt of the criticism after the news broke. AMD told multiple media outlets that “due to difference in AMD’s architecture” from the other two, the company believed there was “near zero risk to AMD processors at this time.”
In its initial statement on Wednesday, Intel denied that this was solely an Intel issue.
“Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect,” said Intel. “Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.”
On Thursday, Intel issued an update saying that it has already issued updates for the majority of processor products introduced within the past five years. Intel expects to issue updates for 90 percent of processor products introduced within the same time period by the end of the week.
However, pushback against Intel has been swift. Intel’s shares plunged 3.5 percent on Wednesday and continue to sink during trading Thursday. The decline followed news reports that Intel CEO Brian Krzanich sold a huge chunk of his company stake in November — after the company was aware of both Meltdown and Spectre.
While most of the issued patches will fix Meltdown, researchers expressed concerns about how to fix Spectre. Because Spectre’s root issue is derived from how microprocessors have been designed by multiple companies since the 1990s, Spectre may haunt all computing devices for years to come.
“We’ve really screwed up,” said Paul Kocher, one of the researchers who discovered Spectre, to the New York Times. “There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”