By Zack Whittaker for Zero Day | | Topic: Security
Just hours after proof-of-concept code was tweeted, security researchers have revealed the long-awaited details of two vulnerabilities in Intel processors dating back more than two decades.
Two critical vulnerabilities found in Intel chips can let an attacker steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
The researchers who discovered the vulnerabilities, dubbed “Meltdown” and “Spectre,” said that “almost every system,” since 1995, including computers and phones, is affected by the bug. The researchers verified their findings on Intel chips dating back to 2011, and released their own proof-of-concept code to allow users to test their machines.
“An attacker might be able to steal any data on the system,” said Daniel Gruss, a security researcher who discovered the Meltdown bug, in an email to ZDNet.
“Meltdown is not only limited to reading kernel memory but it is capable of reading the entire physical memory of the target machine,” according to the paper accompanying the research.
The vulnerability affects operating systems and devices running on Intel processors developed in the past decade, including Windows, Macs, and Linux systems.
AMD said in a statement: “The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.”
British chipmaker ARM told news site Axios prior to this report that some of its processors, including its Cortex-A chips, are affected.
The two bugs break down a fundamental isolation that separates kernel memory — core of the operating system — from user processes. Meltdown lets an attacker access whatever is in the affected device’s memory, including sensitive files and data, by melting down the security boundaries typically held together by the hardware. Spectre, meanwhile, can trick apps into leaking their secrets.
One example of a worst-case scenario is a low-privileged user on a vulnerable computer could run JavaScript code on an ordinary-looking web page, which could then gain access to the contents of protected memory.
The researchers said it wasn’t known if either bug had been exploited by attackers to date. The UK’s National Cyber Security Center also said it too has seen “no evidence” of any malicious exploitation.
COORDINATED RESPONSE
Despite an embargo to ensure a safe disclosure, news of the bugs first emerged Tuesday when tech site The Register reported details of the yet-to-be-released bugs.
Behind the scenes, tech giants were already working on a coordinated response to issue critical patches to their customers, and their own systems. Tech firms had until January 9 to get their houses in order.
But on Wednesday, security researcher Erik Bosman tweeted a proof-of-concept code, in part prompting an earlier release.
Microsoft released patches for Windows, outside its usual Patch Tuesday update schedule — Windows Insiders on the fast-ring already received the patches in November. Apple reportedly patched the flaw in macOS 10.13.2. A spokesperson did not respond to a request for comment. And, patches for Linux systems are also available.
Many cloud services running Intel-powered servers are also affected, prompting Amazon, Microsoft, and Google to patch their cloud services and schedule downtime to prevent would-be attackers from reading other processes on the same shared cloud server.
Microsoft and Amazon have announced scheduled downtime of their cloud services in the coming days.
Google, whose Project Zero team was credited with finding the vulnerability, said in a blog post that, “as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data.”
ZDNet’s Chris Duckett has more on the specifics of the vulnerabilities.
