Tuesday, 20 November 2018
Latest news
Main » Security flaws put virtually all phones, computers at risk

Security flaws put virtually all phones, computers at risk

09 January 2018

The Meltdown attack exploits vulnerability CVE-2017-5754 and Spectre uses CVE-2017-5753 and CVE-2017-5715. It said it planned to publicly disclose the problem next week.

The flaws could allow an attacker to read sensitive data stored in the memory, like passwords, or look at what tabs someone has open on their computer, researchers found. Daniel Gruss, a researcher from Graz University of Technology who helped identify the flaw, said it may be hard to execute an attack, but billions of devices were impacted. Google now believes that, "every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013) is affected by Meltdown". Fully removing the vulnerability requires replacing vulnerable CPU hardware.

While the problem was initially identified in computers based on Intel processors, Google has since pointed out the same security issue can be found in other devices.

The U.S. Computer Emergency Readiness Team recommended that users read advice posted online by Microsoft and software company Mozilla.

When Google's Project Zero lab first disclosed the vulnerabilities, it said that it was possible to guard against Meltdown with software patches. The company's shares were down 3% on Wednesday.

"In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services", the chip maker said in a statement on Thursday.

Intel is closely working with the rivals AMD and ARM to fix the critical security loophole as soon as possible.

The tech giant says computers powered with hardware by AMD, Intel's biggest competitor, are also affected. In a statement to CNBC, AMD explained the difference in architecture between Intel and AMD chipset puts AMD at "zero risks".

A fix requires both the chip manufacturers and software makers to update their products before pushing it out. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel said it has worked with other companies to verify the vulnerability and develop ways to fix or mitigate it. While security flaws are typically limited to a specific company or product, Intel says the problem is "not a bug or a flaw in Intel products" but rather a broader problem affecting processing techniques common to modern computing platforms. Microsoft declined to comment and Apple did not immediately return requests for comment.

Microsoft said "the majority" of its Azure cloud infrastructure has been patched against Meltdown and Spectre, but some customer VMs may need to be rebooted in order to apply the patch; Microsoft has sent notifications to those affected.

Flaws in chips are unusual.