How to protect devices from Spectre and Meltdown chip flaws

How to protect devices from Spectre and Meltdown chip flaws

How to protect devices from Spectre and Meltdown chip flaws

Google's Pixel phones will receive it automatically, while owners of other Android devices are at the mercy of their device manufacturers and wireless carriers, which decide when updates are rolled out.

Like any other large enterprise, the federal government is scrambling to protect its systems and networks in the wake of the Jan. 3 announcement that two newly-discovered vulnerabilities, nicknamed Meltdown and Spectre, exist in the processor chips of virtually all computers and mobile devices.

'The very real fear is that attackers could exploit the flaw on vulnerable systems to gain access to parts of the computer's memory, which may be storing sensitive information.

Spectre and Meltdown were discovered by a group of independent, academic, and industry researchers, including a team at the Graz Technical University in Austria, researcher Paul Kocher, and Google's Project Zero security team. The vulnerability is said to have been around for more than two decades in "modern processor architectures", according to Amazon.

Horn "demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible", Google said.

The UK's National Cyber Security Centre (NCSC) said so far there was "no evidence" the flaw had been exploited by hackers, and many tech firms have said they are either working on or have already issued fixes. However, the center warned that patching may diminish device performance by up to 30 percent and acknowledged that it represented only a partial solution.

Both AMD and ARM are reported to have released statements advising of their level of exposure to the flaw. Present in just about every processor shipped by the chipmaker since 1995, the flaw can be used to unravel some of the most critical security mechanisms used in operating system software. Someone with access to an account on one of their cloud servers could potentially have accessed other customers' data.

In a support article, Microsoft offers the reassurance that it is unaware of any instance of the chip vulnerabilities being used to attack customers. "Starting in October we heard of some effort by Intel to merge a KAISER patch into the upstream kernel, which surprised us", he says.

Alex Ionescu, vice president of EDR Strategy at CrowdStrike, applauded all of the work by vendors to mitigate the risks of Meltdown and Spectre.

The lack of diversity in the computing business turns such vulnerabilities into a systemic problem.

Google said in its blog post about the exploit that the issue has been mitigated in many products or wasn't a vulnerability in the first place. They allege that the vulnerability, which Intel learned about several months ago, makes its chips inherently faulty. Intel says it is issuing firmware updates for majority of processor products introduced in the past five years. Spectre, however, affects smartphones and modern processors. As fishy as it looks, Intel's CEO Brian Krzanich sold off a hefty portion of his company shares that almost rocked his position in the company. It also lets attackers open up an illicit backchannel, but in a different way: it enables a rogue program to trick a legitimate one running on the same computer to divulge information.

Google said that all products have been updated but that a new security update, dated 5 January, will be released. Fogh couldn't get the attack to work, but Gruss's colleagues Michael Schwarz and Moritz Lipp did.

However, rising speculation about the severity of the issue - including potential performance impacts on servers and public cloud environments - forced it to go public sooner. But most importantly, make sure all of your software-operating systems and browsers specifically-are up to date at all times.

The Spectre flaw contains two different exploitation techniques called CVE-2017-5753 or "bounds check bypass", and CVE-2017-5715 or "branch target injection", according to Apple.

Latest News