Major Security Flaws Exist on Intel, AMD, ARM CPUs

Happy New Year! Three massive security flaws in Intel, AMD, ARM and other processors were disclosed Wednesday (Jan. 3). Microsoft issued an emergency patch for all supported versions of Windows, including Windows 7, Windows 8.1 and Windows 10, but added that users should also apply firmware updates when they become available from device manufacturers. Google patched the flaw in Android with the January 2018 update, issued Tuesday (Jan. 2), although only Google-managed devices have it for now. Patches for macOS, iOS and Linux may not yet be fully available. 

Two proof-of-concept attacks, dubbed "Meltdown" and "Spectre," exploit these three flaws, which concern the way modern computer processors handle the running memory of applications and the core system, or kernel, on current operating systems.

"Meltdown and Spectre work on personal computers, mobile devices, and in the cloud," the websites devoted to each flaw, which have identical content, say. "Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers."

A Google blog posting explained that the flaws made it possible so that "an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications."

Meltdown erases the boundaries between kernel processes and user processes and seems to be confined to Intel chips. Spectre steals data from running applications and works on AMD and ARM chips as well. The Spectre and Meltdown websites did not detail how the various chipsets used on mobile devices were affected.

AMD, however, denied that it was affected by any of the flaws.

"AMD is not susceptible to all three variants," the company said to CNBC. "Due to differences in AMD's architecture, we believe there is a near-zero risk to AMD processors at this time."

What to Do

If you use Windows 7, 8.1 or 10, you should apply the Windows security update released today. Early versions of the patches were sent to Windows Insider users in November and December.

"We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel," a Microsoft statement given to us said in part. "We have not received any information to indicate that these vulnerabilities had been used to attack our customers."

However, there are a couple of catches. First, unless you're running a Microsoft-provisioned laptop or tablet such as a Surface, Surface Pro or Surface Book, you'll have to also apply a firmware update from your computer's manufacturer.

"Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities," a Microsoft support document posted online said. "In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update."

Second, Microsoft is insisting that customers make sure they have "supported" antivirus software running before applying the patch. In a separate document explaining the new security patch, Microsoft says that only machines running such software will get the patch automatically. 

It's not clear exactly what Microsoft means by "supported" antivirus software, or why Microsoft insists that such software should be on the machine before the patch is applied. There's a link to a document that's supposed to explain all this, but as of this writing late Wednesday evening, the link went nowhere.

Last, Microsoft admits that there are "potential performance impacts" associated with the patches. In other words, after you apply the patches, you machine might run more slowly. 

"For most consumer devices, the impact may not be noticeable," the advisory states. "However, the specific impact varies by hardware generation and implementation by the chip manufacturer."

MORE: Protect Your Computer with This One Simple Trick

To manually run Windows Update, click the Start button, click the Settings gear icon, click Updates & Security and click Check for updates.

Apple users should install future updates by clicking the Apple icon, selecting App Store, clicking Updates, and clicking Update next to any items from Apple. There was an unconfirmed report on Twitter that Apple had already patched the flaws with macOS 10.13.2 in early December, but the vulnerability ID numbers (CVEs) covered in the December Apple patches don't match those assigned to Meltdown and Spectre.

Linux machines will also require patches, and it appears that something may be almost ready. As mentioned above, the January 2018 Android security patch fixes the flaw, though only a small percentage of Android devices will receive it for now. (It's not clear how many Android devices are susceptible.)

How the Attacks Work

The Meltdown attack, which as far as the researchers know affects only Intel chips developed since 1995 (except the Itanium line and the pre-2013 Atom line), lets regular programs access system information that is supposed to be protected. That information is stored in the kernel, the deeply-recessed center of the system that user operations are never meant to go near.

"Meltdown breaks the most fundamental isolation between user applications and the operating system," the Meltdown and Spectre websites explained. "This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system."

"If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information."

Meltdown was named as such because it "basically melts security boundaries which are normally enforced by the hardware."

To fix the associated flaw, kernel memory would need to be even more isolated from user processes, but there's a catch. It appears that the flaw exists in part because sharing of memory between the kernel and user processes allows systems to run more speedily, and stopping that sharing might decrease CPU performance.

Some reports said the fixes could slow systems down by as much as 30 percent. Our colleagues at Tom's Hardware think the system-performance impact would be much smaller.

Spectre, on the other hand, is universal and "breaks the isolation between different applications," the websites said. "It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre."

"All modern processors capable of keeping many instructions in flight are potentially vulnerable" to Spectre. "In particular, we have verified Spectre on Intel, AMD, and ARM processors."

The sites go on to explain that detection of such attacks would be nearly impossible, and that antivirus software could only detect malware that entered the system before launching the attacks. They say Spectre is more difficult to pull off than Meltdown, but that there was no evidence any similar attacks had been launched "in the wild."

However, they said that Spectre, so-called because it abuses speculative execution, a common chipset process, "will haunt us for quite some time."

The Lost Art of Keeping a Secret

Intel, AMD and ARM were told by Google of these flaws back in June 2017, and all involved parties tried to keep it all hush-hush until the patches were ready next week. But information-security experts who weren't in on the secret could tell something big was coming.

Discussions in Linux development forums concerned radical overhauls to the operating system's handling of kernel memory, yet no details were disclosed. People with Microsoft, Amazon and Google email addresses were mysteriously involved. Unusually, the overhauls were to be back-ported to several earlier versions of Linux, indicating that a major security problem was being fixed.

That sparked a couple of days of conspiracy theories on Reddit and 4chan. On Monday (Jan. 1), a blogger calling himself Python Sweetness "connected the invisible dots" in a long posting detailing several parallel developments among Windows and Linux developers concerning handling of kernel memory.

Late Tuesday (Jan. 2). The Register aggregated a lot of similar information. It also noted that Amazon Web Services would be performing maintenance and rebooting its cloud servers this coming Friday evening (Jan. 5). and that Microsoft's Azure Cloud had something similar planned for Jan. 10.

The dam broke Wednesday when a Dutch security researcher tweeted that he had created a proof-of-concept bug that seemed to exploit at least one of the flaws.

At 3 p.m. EST Wednesday, Intel, which had seen its stock dip about 10 percent in that day's trading, issued a press release that downplayed the flaws, and its stock accordingly regained some ground. But the company admitted that the flaws could be use to steal data, and that it and other chipmakers were working to fix the problem.

"Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available," the statement said. "However, Intel is making this statement today because of the current inaccurate media reports."

At 5 p.m., Daniel Gruss, a post-doctoral student in information security at the Technical University of Graz in Austria, came forward to announce Meltdown and Spectre. He told ZDNet's Zack Whittaker that "almost every system" based on Intel chips since 1995 was affected by the flaws. It turned out the problem was even worse.

Gruss was one of seven Graz researchers who in October 2017 published a technical paper detailing theoretical flaws in the way Linux handled kernel memory, and proposed a fix. Python Sweetness, the pseudonymous blogger referred to at the beginning of this story, was apparently correct in guessing that that paper was central to the Intel flaw being worked on now.

At 6 p.m. EST, the Spectre and Meltdown sites went live, along with a Google blog posting detailing that company's own research. It turned out that two teams had independently discovered Meltdown, and three different teams had concurrently found Spectre. Google's Project Zero and Gruss's team at Graz had a hand in both.

Image credit: Natascha Eidl/Public domain