Major chip flaws affect billions of devices

Two major flaws in computer chips could leave a huge number of computers and smartphones vulnerable to security conce...

Posted: Jan 4, 2018 3:09 PM
Updated: Jan 4, 2018 3:09 PM

Two major flaws in computer chips could leave a huge number of computers and smartphones vulnerable to security concerns, researchers revealed Wednesday.

And a U.S. government-backed body warned that the chips themselves need to be replaced to completely fix the problems.

The flaws could allow an attacker to read sensitive data stored in the memory, like passwords, or look at what tabs someone has open on their computer, researchers found. Daniel Gruss, a researcher from Graz University of Technology who helped identify the flaw, said it may be difficult to execute an attack, but billions of devices were impacted.

Called Meltdown and Spectre, the flaws exist in processors, a building block of computers that acts as the brain. Modern processors are designed to perform something called "speculative execution." That means they predict what tasks they will be asked to execute and rapidly access multiple areas of memory at the same time.

Related: The year tech took a dark turn

That data is supposed to be protected and isolated, but researchers discovered that in some cases, the information can be exposed while the processor queues it up.

Researchers say almost every computing system -- desktops, laptops, smartphones, and cloud servers -- is affected by the Spectre bug. Meltdown appears to be specific to Intel chips.

"More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors," the researchers said.

Government agencies issued statements warning users about the vulnerabilities.

The U.S. Computer Emergency Readiness Team said that while the flaws "could allow an attacker to obtain access to sensitive information," it's not so far aware of anyone doing so.

The agency urged people to read a detailed statement on the vulnerabilities by the Software Engineering Institute, a U.S.-government funded body that researches cybersecurity problems.

The institute said that "fully removing the vulnerability requires replacing vulnerable [processor] hardware."

It said the problems affect technology giants including Apple, Google and Microsoft.

The U.S. Computer Emergency Readiness Team recommended that users read advice posted online by Microsoft and software company Mozilla.

The U.K.'s National Cyber Security Center advised organizations and individuals to "continue to protect their systems from threats by installing patches as soon as they become available."

Google programmer Jann Horn of Project Zero was one of the researchers who discovered the flaws. In a blog post, he said his group alerted chipmakers to the issues in June. Since last fall, security researchers and companies have investigated and updated software systems to address the flaws.

Related: Hackers take advantage of bitcoin's wild ride

Intel chips are found in everything from personal computers to medical equipment. The company's shares were down 3% on Wednesday.

The company said in a press release that "many types of computing devices - with many different vendors' processors and operating systems - are susceptible to these exploits."

Intel said it is working with other chipmakers, including AMD and ARM Holdings, to solve the issue. ARM said in a statement a small subset of its processors are susceptible to the flaws. AMD said in a statement there is a "near zero risk of exploitation" for one of the security issues, due to architecture differences.

A fix requires both the chip manufacturers and software makers to update their products before pushing it out.

Estimates posted on Linux message boards suggested computer performance could slow down between 5% and 30% once patched, however Intel said users will not see significant performance changes.

Tech website The Register was first to report the processor flaws on Tuesday.

A spokesperson for Microsoft told CNNMoney the company is aware of the issue and is in the process of deploying mitigations to cloud services and has released security updates to protect Windows users.

Related: The hacks that left us exposed in 2017

Google's Cloud Platform has been updated to prevent the vulnerabilities, the company said.

Amazon said in a statement most of its cloud computing machines affected by the flaw are already protected, but it is updating the rest on Wednesday.

Researchers said patches were available for Apple's OS X. The company did not respond to a request for comment.

It's important for all users to update their devices when new updates are released.

Flaws in chips are unusual. Back in 1994, a major error in Intel's Pentium processor caused computers to incorrectly calculate results.

-- Jethro Mullen contributed to this report.

Terre Haute
Clear
73° wxIcon
Hi: 94° Lo: 73°
Feels Like: 73°
Robinson
Clear
71° wxIcon
Hi: 90° Lo: 69°
Feels Like: 71°
Indianapolis
Clear
75° wxIcon
Hi: 91° Lo: 74°
Feels Like: 75°
Rockville
Clear
69° wxIcon
Hi: 92° Lo: 72°
Feels Like: 69°
Casey
Clear
74° wxIcon
Hi: 91° Lo: 72°
Feels Like: 74°
Brazil
Clear
73° wxIcon
Hi: 92° Lo: 72°
Feels Like: 73°
Marshall
Clear
73° wxIcon
Hi: 88° Lo: 72°
Feels Like: 73°
The Heat Continues
WTHI Planner
WTHI Temps
WTHI Radar

WTHI Events

 

Illinois Coronavirus Cases

(Widget updates once daily at 7 p.m. CT)

Confirmed Cases: 147865

Reported Deaths: 7026
CountyConfirmedDeaths
Cook927814630
Lake10007423
DuPage9364475
Kane7877275
Will6957320
Winnebago310996
McHenry212097
St. Clair2037137
Kankakee131165
Rock Island106129
Madison104269
Kendall100021
Champaign96015
Boone61021
DeKalb58220
Peoria56728
Sangamon45532
Jackson34019
Randolph2887
McLean28513
Stephenson2785
Ogle2754
Clinton24217
Macon23622
LaSalle22817
Union19619
Whiteside19615
Coles17817
Grundy1775
Iroquois1645
Tazewell1528
Knox1470
Warren1450
Monroe13713
Cass1367
Williamson1334
Adams1311
Morgan1303
Jefferson10717
Lee1032
McDonough10215
Henry981
Pulaski790
Vermilion792
Marion700
Macoupin583
Perry581
Douglas540
Unassigned530
Livingston522
Montgomery491
Christian474
Jasper477
Jo Daviess471
Ford401
Woodford362
Jersey351
Franklin310
Bureau302
Menard250
Mercer250
Fayette233
Mason230
Wabash230
Alexander220
Carroll212
Washington210
Johnson200
Piatt200
Effingham191
Hancock191
Moultrie190
Shelby191
Crawford180
Logan180
Cumberland170
Bond161
Clark150
Fulton150
Massac150
Wayne141
Schuyler130
De Witt120
Marshall110
Brown100
Edgar100
Greene90
Saline90
Henderson80
White80
Lawrence70
Hamilton60
Richland40
Stark40
Gallatin30
Out of IL30
Pike30
Clay20
Edwards20
Calhoun10
Hardin10
Pope10
Putnam10
Scott10

Indiana Coronavirus Cases

(Widget updates once daily at 8 p.m. ET)

Confirmed Cases: 48524

Reported Deaths: 2698
CountyConfirmedDeaths
Marion11682684
Lake5180242
Elkhart330146
Allen2798132
St. Joseph196466
Cass16389
Hamilton1563101
Hendricks1410100
Johnson1288118
Porter73237
Tippecanoe7268
Madison65964
Clark65544
Bartholomew58644
LaPorte58026
Howard57757
Kosciusko5494
Vanderburgh5486
Marshall4904
Noble48228
Jackson4723
LaGrange4709
Hancock45035
Boone44543
Delaware44550
Shelby42625
Floyd38144
Morgan32931
Monroe30028
Grant29526
Montgomery29420
Clinton2892
Henry27415
Dubois2736
White26510
Decatur25032
Lawrence24625
Dearborn23823
Vigo2358
Harrison21822
Warrick21829
Unassigned193193
Greene18932
Miami1832
Jennings17611
Putnam1698
DeKalb1624
Scott1627
Daviess14317
Wayne1406
Orange13623
Perry1299
Steuben1292
Franklin1248
Jasper1212
Ripley1177
Wabash1122
Carroll1102
Fayette997
Newton9810
Starke933
Whitley925
Gibson812
Huntington812
Randolph794
Wells731
Fulton721
Jefferson722
Jay680
Washington671
Pulaski661
Knox640
Clay604
Rush583
Adams501
Owen491
Benton480
Sullivan451
Posey420
Brown391
Spencer381
Blackford372
Crawford320
Fountain322
Tipton321
Switzerland270
Parke230
Martin220
Ohio170
Vermillion140
Warren141
Union130
Pike110