Just hours after proof-of-concept code was tweeted, security researchers have revealed the long-awaited details of two vulnerabilities in @Intel processors dating back more than two decades. Two critical vulnerabilities found in Intel chips can let an attacker steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.
The researchers who discovered the vulnerabilities, dubbed "Meltdown" and "Spectre," said that "almost every system," since 1995, including computers and phones, is affected by the bug. The researchers verified their findings on Intel chips dating back to 2011, and released their own proof-of-concept code to allow users to test their machines. "An attacker might be able to steal any data on the system," said Daniel Gruss, a security researcher who discovered the Meltdown bug, in an email to ZDNet. "Meltdown is not only limited to reading kernel memory but it is capable of reading the entire physical memory of the target machine," according to the paper accompanying the research.  The vulnerability affects operating systems and devices running on Intel processors developed in the past decade, including Windows, Macs, and Linux systems. AMD chips are not thought to be affected by the vulnerabilities. British chipmaker ARM told news site Axios prior to this report that some of its processors, including its Cortex-A chips, are affected. Spokespeople for AMD and ARM did not immediately return an email for comment. The two bugs break down a fundamental isolation that separates the kernel's memory -- core of the operating system, from low-level user processes. Meltdown lets an attacker access whatever is in the affected device's memory, including sensitive files and data, by melting down the security boundaries typically held together by the hardware. Spectre, meanwhile, can trick apps into leaking their secrets. One example of a worst-case scenario is a low-privileged user on a vulnerable computer could run JavaScript code on an ordinary-looking web page, which could then gain access to the contents of protected memory.  The researchers said it wasn't known if either bug had been exploited by attackers to date. The UK's National Cyber Security Center also said it too has seen "no evidence" of any malicious exploitation. COORDINATED RESPONSE Despite an embargo to ensure a safe disclosure, news of the bugs first emerged Tuesday when tech site The Register reported details of the yet-to-be-released bugs. Behind the scenes, tech giants were already working on a coordinated response to issue critical patches to their customers, and their own systems. Tech firms had until January 9 to get their houses in order. But on Wednesday, security researcher Erik Bosman tweeted a proof-of-concept code, in part prompting an earlier release. Microsoft released patches for Windows, outside its usual Patch Tuesday update schedule. (Windows Insiders on the fast-ring already received the patches in November.) Apple reportedly patched the flaw in macOS 10.13.2. A spokesperson did not respond to a request for comment. And, patches for Linux systems are also available.  Many cloud services running Intel-powered servers are also affected, prompting Amazon, Microsoft, and Google to patch their cloud services and schedule downtime to prevent would-be attackers from reading other processes on the same shared cloud server. Microsoft and Amazon have announced scheduled downtime of their cloud services in the coming days. Spokespeople for Amazon, Google, and Microsoft, when reached, did not immediately comment. When we hear back, we will update. Intel also did not respond to a request for comment prior to publication, but in a statement denied that the exploits were caused by a "bug" or a "flaw." "Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits," said Intel. "Intel believes these exploits do not have the potential to corrupt, modify or delete data." SLOW DOWNS ON DECK?  Incoming patches are expected to prevent attackers from exploiting the chips' design flaw, but have prompted concern that chip performance will be degraded as a result. That could result in the slowing down of home and work computers, as well as cloud services that host popular sites and services. Intel's statement said that "any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time." Gruss told ZDNet that general browsing and low processor-intensive work are less likely to be affected by any slow downs. "We have observed many workloads that are not affected much," he said. "Generally, a large number of context switches is bad for performance when KAISER is applied," referring to KAISER, a kernel isolation technique, which Gruss wrote a paper about last year.  "For instance doing a lot of accesses to small files, you might have slow downs of 50 percent or more," he confirmed. Although patches are available, new processors are expected to be reengineered to avoid a similar problem in the future. But existing affected devices could long see the after-effects of these vulnerabilities. Gruss said that, given how tricky the Spectre attacks are to mitigate, they are "going to haunt us for years." Contact me securely Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
No comments:
Post a Comment