Security Breaches Threaten All PCs and Phones

Security Breaches Threaten All PCs and Phones

Intel‬, ‪Advanced Micro Devices‬‬ (AMD Stock)

Intel‬, ‪Advanced Micro Devices‬‬ (AMD Stock)

Security researchers have uncovered a set of security vulnerabilities that could allow hackers to steal sensitive information from almost any modern computing device that is equipped with Intel's, Advanced Micro Devices (AMD), or compatible chips. ARM Holdings architecture.

One of the vulnerabilities relates specifically to chips made by Intel over the last ten years and another one affects laptops and desktops, smartphones, tablets and internet servers.

But according to Intel and ARM, the flaw is not a design flaw, even though users must download a patch to update their operating system.

"The phones, the PCs, all are concerned, but the impact will vary from product to product," Intel CEO Brian Krzanich said in an interview with CNBC on Wednesday.

The team of computer security experts at Google's Project Zero, a subsidiary of Alphabet, in collaboration with researchers in several countries, discovered two flaws.

The first, called Meltdown, affects Intel chips and allows hackers to bypass the hardware barrier between user-run applications and computer memory, potentially leaving room for password access, for example. The second, called Spectrum, affects Intel, AMD and ARM chips and potentially allows hackers to seize secret data stored in the memory of applications running on the computer.

CORRECTIVES AVAILABLE

According to the researchers, Apple and Microsoft already have fixes for desktop users affected by Meltdown. Solicited, Microsoft refused to speak and Apple for its part did not respond immediately.

Daniel Gruss, one of the researchers at the Graz University of Technology at the origin of the Meltdown discovery, said it was "probably one of the worst processor bugs ever identified" in an interview with Reuters.

For this expert, Meltdown is the most serious problem in the short term, but could be corrected effectively through software updates.

The Spectrum Fault, however, which affects almost all computing devices, is harder to exploit by hackers, but it is also less easily correctable and will remain a serious problem in the long run, he explained.

Brian Krzanich said on CNBC that Intel had been informed by Google researchers for some time about these flaws and that the group had tested patches coming out next week.

Before the problems were revealed, Google said on its blog that Intel and others intended to disclose them on January 9. Google notified companies affected by the Specter Fault on June 1 and reported the Meltdown Fault after the first case of vulnerability but before July 28.

PC SLOW MOTION

The specialist publication The Register was the first to report the existence of these flaws on Wednesday. She also said that updates to fix problems could slow computers with Intel chips by 5% to 30%.

But Intel disputes this last statement.

"Intel has started providing software and firmware upgrades to mitigate these flaws," said the world's largest manufacturer of PC chips in a statement. "Contrary to some claims, the impact on performance depends on the workload and, for the average user, it should not be significant and will be mitigated over time," adds Intel.

ARM spokesman Phil Hughes said patches had already been shared with partner companies, including many smartphone manufacturers.

"This method only works if some type of malicious code is already running on a device and could at worst result in access to small data from the preferred memory," he said.

The AMD chips are also affected by at least one variant of the disclosed security flaws, but they can be corrected by a software update. Intel's competitor believes there is "almost no risk for AMD products at this time."

Google said on a blog that recently updated Android phones were also protected, including its Nexus and Pixel models. The US group added that no specific action was required for Gmail, but users of Chromebooks, Chrome web browsers, and other Google Cloud services will need to install updates.

Amazon, for its part, has corrected the problem on most of its Internet servers.




Dan Guido, General Manager of Trail of Bits, a computer security consulting company, is calling on companies to quickly update their systems, as he expects hackers to quickly develop malware that can exploit these vulnerabilities. 

Spectrum and Meltdown: processors pay the price of speculation

Spectrum and Meltdown: processors pay the price of speculation

Intel‬, ‪Advanced Micro Devices‬, ‪ARM architecture

Security: Last night, breaking the embargo of Intel, Google revealed details of the vulnerabilities within Intel processors that attracted the attention of the community earlier this week. The Spectrum and Meltdown vulnerabilities allow an attacker to access the memory of the machine, despite any protections put in place.

If we listened to the evening yesterday, we could hear the cries of sysadmins pain that finally discovered the details of the latest security breach affecting Intel processors, but also those of other manufacturers. The rumors had begun following The Register's discovery of several patches planned for an upcoming update of the Linux Kernel and correcting the behavior of components interacting directly with the processor, which suggested a flaw in the Intel processors. But on the side of the founder, radio silence: the details of the security breach were embargoed until January 9 and Intel did not expect such a rapid publication.

Unfortunately, in the face of speculation and questions, the Google engineers behind the discovery decided to fire first and break the embargo by publishing details of two major vulnerabilities affecting the processors: Specter and Meltdown.

In a series of post blogs and sites dedicated to the flaws, Google engineers take stock and summarize the scope of the two vulnerabilities discovered. These two vulnerabilities are made possible by circumventing so-called KSLR memory space protection techniques as well as the integration within the processors of so-called "speculative execution" techniques used by many processors to improve their performances. These techniques are used by the vast majority of Intel processors marketed since 1995, but also by the competition: some models of ARM processors, as well as some AMD processors are also affected by these security vulnerabilities.

Two Flaws, Two Moods

Meltdown (CVE-2017-5754) is an exclusive Intel vulnerability. This flaw allows privilege elevation, since it allows a process to access protected memory resources at the Kernel, the operating system kernel. This flaw can thus allow an attacker to access confidential data stored on the machine, such as passwords or access identifiers. Meltdown allows an attacker capable of executing code on the machine to recover all of the memory address space allocated to the Kernel, as well as its contents.



In particular, it is problematic for machines shared by several users, such as cloud instances: a user of the Meltdown operating instance can access all the memory of the machine and thus potentially recover the data of others. users. Meltdown must be corrected at the operating system level, by implementing a so-called Kernel Page Table Isolation (KPTI) method that ensures complete separation between the memory space allocated to the kernel and those allocated to users. This included what was implemented by the Linux kernel patch set that put the community on the trail of these security holes.

Intel‬, ‪Advanced Micro Devices‬, ‪ARM architecture

Spectrum (CVE-2017-5753 and CVE-2017-5715) is not an exclusive Intel vulnerability and other manufacturers are also affected by this variant. Spectrum allows, using mechanisms similar to Meltdown, to allow a program to access the memory spaces of another program and thus to retrieve confidential information.

Google researchers evoke a scenario that allows an attacker to steal data stored in the machine's RAM directly from a malicious website, running JavaScript code to exploit the security hole. Spectrum may nevertheless be a little more difficult to correct, since it this time requires corrections made directly at the level of the applications themselves or a redesign in depth of the architectures of the processors to completely eliminate this vulnerability.


These two flaws have so far not been exploited by cybercriminals, but the details of these are now public and they could be integrated with new malware in the future.

Do not confuse speed with precipitation

These flaws are made possible by exploiting methods used by processors to speed up the execution of commands. Meltdown relies on Out of order execution, a method used by processors to efficiently execute instructions sent to the processor. These are not necessarily executed in order, but the researchers discovered that this mechanism had defects, allowing an attacker to recover the memory of the machine by exploiting this technique.

The use of Meltdown allows access to all the memory of the machine, without security restrictions. Google researchers explain that this method can be used to recover data at a rate of 503kb / s.

Spectrum relies on a rather close mechanism, also used to improve the performance of the processors: the speculative execution, which consists of a processor executing instructions before they are actually transmitted to the processor, in order to optimize the performances. performance.

These different methods are quite common in the microprocessor industry and if Intel is widely blamed, the founder is not the only one whose processors have been affected by the security breach: AMD and ARM are also part of victims to a lesser extent. Intel remains the first manufacturer affected, because of its architecture choices as well as its dominance in the processor market. He defended it last night in a statement, but hard to deny: this security hole is mainly hurting the image of Intel.

The attack is therefore a real headache: besides the fact that it is particularly dangerous and not necessarily obvious to correct, the setbacks of synchronized communication and broken embargoes do not really simplify things. The flaw was discovered last year by researchers, and the industry planned to silently fix its systems before revealing the details of the vulnerability on January 9. Unfortunately for them, the embargo will not have held up there.