Own a Mac, PC or smartphone? A major security flaw means you need to do this now

Image of a brain superimposed onto a computer motherboard.

 

Those on Microsoft products will needs to first determine which version of the Windows operating system they are running, then run a query on the Microsoft support site asking “update Windows” along with the version they’re running.

Apple products will automatically update themselves, or at least prompt users to update them.

Google Chromebooks self update. Many, but not all, phones running the Android operating system also do, or will ask if the user wants their operating system updated. You can also go to the settings app on the phone, tap About Device and then tap System Updates to see if an update is available.

Many security companies are suggesting users also make sure their security software is up to date. As soon as hackers create code to use this new flaw, security software will help flag and possibly stop them.

What products are affected?

Potentially everything that’s got a central processing unit or CPU, which means PCs, Macs, laptops, smart phones and tablets. But patches are coming fast and furious.

Microsoft has already pushed out a patch for Windows 10 and other Windows versions will be updated on Tuesday, January 9. If you have auto updates enabled, you should get this upgrade.

Apple on Thursday said that it has already released patches in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, and that Apple Watch is not affected by Meltdown. The upgrades come via auto updates.

 The company plans to release mitigations in Safari to help defend against Spectre “in the coming days,” it said in a blog. The company also said it will continue to develop and test further patches for future updates of its operating system.

Google has published a list of all its devices and software that might need updates and what users have to do to install them, though many (like Chromebooks) will self install.

Amazon’s AWS cloud computing service expected all its computing systems to be patched by the end of the day Wednesday. Customers were also told to patch their operating systems to be fully secured.

What chips are affected?

 

Intel, which makes most of the chips used in PCs, is the most heavily affected. It said Thursday it has already issued updates for the majority of CPUs — the chips that handle the instructions a computer receives from hardware and software, sometimes known as the “brain” of the computer — introduced within the past five years. By the end of next week it expects to have issued updates for more than 90% of processors introduced within the past five years.

Chip-maker Advanced Micro Devices, whose products are mostly used in corporate server computers and personal computers, originally said it didn’t believe its products were at risk for the flaw. It has since updated that to say that one of the potential attacks could be used on some of its chips. It encouraged its customers to use safe computing practices, including “not clicking on unrecognized hyperlinks, following strong password protocols, using secure networks, and accepting regular software updates.”

ARM, whose chips are primarily used in smart phones and electronic devices such as e-readers, televisions, cable boxes and cars, said that only a small subset of its chips were vulnerable and listed them on its website. It has also published a technical paper outlining how the flaws can be mitigated.

How did this happen?

There are actually two exploitable flaws, though they’re related. They have been given the James Bond-esque names Meltdown and Spectre. Both use what’s known as a side-channel analysis attack. Basically, malicious code can be written that allows an attacker to see information stored in what was previously believed to be a secure portion of a computer’s central processing unit, or CPU.

What’s the problem that makes this possible?

 

It’s something no one had realized was an issue for 20-some years. Back in the early 1990s, in an effort to speed up computer processing, computer chip engineers hit on the idea of letting computers guess at what data would be needed next. It was called “speculative execution.” It’s something like a salesperson who sees a man pick out a pair of slacks in a store and so grabs a belt and a jacket that match because they might be what he looks for next.

In the computer, it could be that you go to the banking section of your password management program. The speculative execution function then pulls all your banking passwords into the protected memory portion of the CPU because it’s making a good guess you’ll ask for that next.

Meltdown allows full access to the protected memory space, so it’s potentially more dangerous. It appears to only affect Intel chips manufactured since 1995.

Spectre allows malicious code to trick access random portions of the protected memory. It is believed to affect processors made by Intel, Advanced Micro Devices and ARM.

The real issue is that the flaws allow cyber criminals a new set of tools to steal passwords and other critical data.

“The scope impacts a large set of the computing devices that we rely on, from PC to phones and back-end services consumers rely upon, such as servers and the cloud,” said McAfee chief technology officer Steve Grobman.

How much could the hackers see?

The exploit could allow an attacker to open a window that let’s them look at what’s being rolled into and out of that protected memory space, says Atiq Raza, chairman and CEO of Virsec Systems, Inc and the former president of AMD. Depending how long the hackers can keep the window open “they could see a very significant amount of data scroll by. Even if it’s just for a few seconds, a humongous amount of information could go through,” he said.

 

How did this exist for so long?

An excellent question, which hasn’t been answered yet.

The flaws were discovered over the last several months independently by several teams, including Google’s Project Zero security team, researchers at Graz University of Technology in Austria, the University of Adelaide in Australia and the universities of Pennsylvania and Maryland, along with researchers at security firms Cyberus Technology, Rambus and Data61.

The researchers alerted chip and software companies, which began writing patches and fixes. Everything was supposed to be announced on January 9th.

As companies started to make changes to their software to allow them to implement the patches, security researchers noticed something was going on. This created buzz in the broader computer security community. When the security news site The Register published a story on January 2, it became impossible to wait and Intel and Google went public with the information.

 

Has anyone actually made use of this exploit yet?

Not that we know of. It’s a very complex and rarified attack and one that until a few months ago no one even realized was possible. That said, exploiting this bug wouldn’t leave traces so it’s difficult to know if it’s being used “in the wild,” as security researchers say.

But the race is now on, says Tony Cole, vice president of global government and critical infrastructure with computer security company FireEye. “I’m sure everybody on the attacker side is busy reading everything that’s out and trying to figure out how to use this. It’s being worked on as we speak.”

Leave a Reply