Tags:
Intel Bug forces computers around the globe to be updated immediately.
On the recent press release by Intel on Jan 3, 2018 they have admitted to a severe design flaw in their CPU architecture. This allows sensitive data, such as password and crypo-keys to be stolen from the memory unencrypted. This massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major OS.
The Issues that exists in the CPU itself has been dubbed Meltdown and Spectre by Intel. All operating systems such as MAC, Linux, Android, Windows, Chromebooks and other operating systems all need to protect against it. And, the worst of all this update will negatively effecting your computer’s performance.
Average home users may not have adverse effect by this patch too much though it is recommended to apply the latest update and keep the antivirus programs vigilant, as ever.
So here is the gist of things about the Meltdown and Spectre attacks.
What is it?
This is technically a design flaw in the CPU which allows all the data stored in the kernel to be accessed by unprivileged processors to read data in memory that it should not be able to. In a nutshell this exploit allows access to your operating systems sacrosanct kernel memory because of how the processors handle “speculative execution”, which modern CPUs perform to increase performance. An attacker can exploit these CPU vulnerabilities to expose extremely sensitive data in your protected kernel memory, including passwords, cryptographic keys, personal data, email etc on your PC.
Meltdown is more serious exploit, and the one that operating systems are rushing to fix it. It “breaks the most fundamental isolation between user applications and the operating systems” according to google. This flaw most strongly affects Intel because of the way they handle speculative execution.
Spectre affects both amd and arm processors as well as Intel CPUs which means mobile devices are at risk. It’s harder to exploit than Meltdown, but it is also harder to mitigate” Google says. There may be no hardware solution to spectre, which “tricks other applications into accessing arbitrary locations in their memory”.
How do I know if my PC is at risk?
Short answer: It is. Probably.
Google says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the OS you’re running or whether you have a desktop or laptop. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks, though AMD says its hardware has “near zero” risk because of the way its chip architecture is designed. Intel said Thursday, though, that the patches that it is issuing—via firmware and operating system patches—“render those systems immune from both exploits.” That’s a big claim from Intel, and has yet to be confirmed. You can find a full list of affected Intel processors in this article.
What is the difference between Meltdown and Spectre?
Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
So, what can I do?
Not much besides updating your PC with Meltdown patches issued by operating system makers. Since the issue is such a deeply technical one there isn’t anything users can do to mitigate the potential issue other than wait for a fix to arrive. Definitely make sure you’re running security software in the meantime—advice that Intel also stresses.
When will the fixes be out?
For windows, mac and chromebook users it is already out.
Microsoft pushed out a windows update (KB4054022) protecting against Meltdown on Jan3, 2018 soon after the press release. The release of the update outside of monthly “patch Tuesdays” are rare, underlining the severity of the issues.
Apple did it quietly on their masOS high sierra 10.13.2 released on Dec 6, 2017, according to developer Alex Ionescu. Additional safeguards will be found in macOS 10.13.3, he says. Kernel patches are also available for linux.
Chromebooks received protection in Chrome OS 63 released on Dec 15 2017. Furthermore chrome web browsers itself was updated to include an opt-in fearure called “site isolation” that can help guard against spectre attacks. Although it will take time to be implemented on mobile devices as it can create “functionality and performance issues” in android, and since chrome in iOS is force to useWkWebView, the solutions in that platform must come from Apple itself. Chrome 64 will include more mitigations.
Both Mozilla and Microsoft are taking necessary steps to protect browsers against spectre as well. Edge and internet explorer received an update alongside windows 10.
Want to know more?
Papers published by Intel about Meltdown and Spectre are available here.
What we think about it?
This is a very serious issue that has gone unchecked over the last decade which will have a very serious implications to it. In the race to create faster CPUs Intel has overlooked a fundamental design flaw and let it continue for more than a decade. All processors from Intel manufacturers are now under the microscope and who knows how big the repercussions will be. Intel has said that the patch for the CPUs released in last five years have been rolled out but have not clarified about the older CPUs. No matter the case this will have very serious effect on intel loyalist and those who have been using Intel processors. Until this issue is dealt with it is better to not buy any new CPUs and gadgets as all the software updates are currently only a band aid fix and does not completely remove the issue.