Post has attachment
Public
Add a comment...
Post has attachment
Public
Add a comment...
Post has attachment
Post has attachment
Add a comment...
Post has attachment
Public
#Everyday_Tech #chip #flaw #Intel Major Flaw in Millions of Intel Chips Discovered: A serious flaw has been discovered in the design of Intel’s chips. It will require Microsoft, Linux, and Apple to update operating systems for computers all over the world. The problem has to do with the way certain Intel CPUs address… The post Major Flaw in Millions of Intel Chips Discovered appeared first on Vision Times. http://dlvr.it/Q98PR7
Add a comment...
Post has attachment
Public
Add a comment...
Post has attachment
Public
How the Intel #CPU vulnerability was first discovered is pretty interesting. This researcher basically found he could #hack his own #computer - much to his horror.
#V2Systems #ITProfessionals #Intel #Meltdown #Spectre
http://ow.ly/rWPX30hCdu0
#V2Systems #ITProfessionals #Intel #Meltdown #Spectre
http://ow.ly/rWPX30hCdu0
Add a comment...
Post has attachment
Intel CEO sold all the stock he could after #Intel learned of security bug https://arstechnica.com/?post_type=post&p=1239883 #intelbug #meltdown #spectre
‹
›
1/6/18
3 Photos - View album
Add a comment...
Post has attachment
Massive Intel Vulnerabilities Just Landed -- And Every PC User On The Planet May Need To Update
Dubbed Meltdown, the flaw allowed a hacker to read information from applications' memory at the kernel level, a space deep down in the operating system that's core to the functioning of everything on a computer. Passwords, photos, documents and other sensitive data could all be read by an attacker exploiting Meltdown, the researchers warned on a website and in a whitepaper Wednesday. They noted that "virtually every user of a personal computer" in the world was affected either by Meltdown or a related issue they named Spectre, and that the entire memory contents of a vulnerable PC could be surveilled.
If a computer is run by any Intel processor from 1995 onwards, bar Itanium and Atom chips manufactured before 2013, it's likely vulnerable, the researchers warned. And, crucially, cloud environments are also affected, as the flaw could be abused by an attacker to read memory of a virtual machine without any permissions or privileges.
Software updates are expected to land over the next week to defang the issue and users have been advised to update as soon as possible.
What's the problem?
Typically computers should separate one application from reading information passing through the kernel. But with Meltdown, that isolation is broken, so one program can read another's memory in the kernel without permission. As the researchers noted: "The bug basically melts security boundaries which are normally enforced by the hardware."
The attack exploits the way in which Intel systems handle processes where the CPU cannot be certain whether an instruction will run or not, known as speculative execution. Typically, Intel will guess at the outcome of a process, run it to get ahead of the task and return to execute code when it's figured out what to do. During that process Intel didn't successfully separate low-permission applications from accessing kernel-level memory, meaning an attacker could use a malicious application to get at that private data that should've been segregated.
Earlier on Wednesday, Erik Bosman, from the Systems and Network Security Group at the Vrije Universiteit Amsterdam in the Netherlands, tweeted what appeared to be a proof of concept hack of the vulnerability, which had been reported on but was unconfirmed at the time.
Daniel Gruss, from the Graz University of Technology, was one of the researchers who uncovered the issue, alongside academic colleagues, Google Project Zero's Jann Horn and employees of German cybersecurity firm Cyberus Technology. He told Forbes that the researchers "only have proof-of-concept code for local attacks." That meant, in the real world, an attack would require the intruder to have found a way onto the computer first. A typical cyberattack, such as a phish that installs malware, would be a likely entry point, though it's unknown if any malicious individual has attempted to carry out the hack.
The researchers said they'd only successfully exploited Meltdown on Intel chips and were unsure if the attacks would work on AMD or ARM systems. A public ARM statement indicated the British company's chips were unaffected.
Intel responds
Intel issued a statement, in which it said that it wasn't possible to modify a vulnerable system, only spy on data, adding that media reports in the nature of the issue were inaccurate. In particular, it took umbrage with the claims that the exploits were caused by a "bug" or a "flaw" and were unique to Intel products. "Intel has begun providing software and firmware updates to mitigate these exploits," the company said, noting it was working with AMD, ARM and operating system manufacturers to prevent attacks.
"Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports." It recommended downloading any available updates as soon as they are available.
Microsoft said it was in the process of deploying fixes to its cloud services and was releasing security updates today to protect Windows customers, whilst Apple hadn't responded to Forbes' request for a response. The researchers said both companies were supplying updates for Windows and Mac OS. The academics, who'd developed a fix called KAISER, also noted fixes for Linux computers were ready. And Amazon Web Services posted an advisory for its cloud customers.
Performance problems?
Intel also denied claims that performance of Intel-based computers would be significantly affected by Meltdown. One report had claimed the degradation could cause a slowdown of between 5% and 30% of typical performance. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," the company said.
Gruss said he was unsure about the potential impact on performance, telling Forbes it depended on many factors, from the processor architecture to the use case. He did agree with Intel, however, that regular computer users wouldn't be affected much by the slow down. But, he added, "unusual workloads" on older computers could be up to 50% slower.
A Spectre looms
Meltdown wasn't the only problem uncovered by the researchers, however. They detailed a related issue dubbed Spectre, which they believe is harder to address than Meltdown and for which there aren't yet patches available. As noted in a whitepaper, which contains the full technical details, Spectre attacks induce a victim application to carry out the speculative execution "that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary." Google's Jann Horn has also released his full analysis of Meltdown and Spectre.
Worryingly, it's not just Intel systems that are affected by Spectre, but computers running AMD and ARM too, the researchers claimed. That would amount to not millions, but billions of machines, they added. For instance, Gruss said Spectre attacks on AMD-based machines worked "super-reliably."
A spokesperson from AMD, however, noted that it had been contacted by Google about the issues, but that "based on the findings to date and the differences in AMD processor architecture, we believe there is near zero risk to AMD products at this time." It noted that the problems would be addressed by software and operating system updates.
ARM, meanwhile, said it was in the process of informing its partners and encouraging them to deploy the mitigations it had developed if their chips are impacted. "At this site - https://developer.arm.com/support/security-update - you can find more technical information, including the ARM cores impacted and details on how to get the software mitigations," a spokesperson said.
Spectre may also work better in exploiting cloud systems, according to Gruss. He noted that Spectre can trick a hypervisor - the software that manages virtual machines in a cloud - into leaking secrets to a guest. And, whilst he said it was not as easy to execute as Meltdown, he believes a hack can run in JavaScript. "This means that you would only have to navigate to an attacker-controlled website," he added.
#Intel #MeltdownCPU #designflaw
Dubbed Meltdown, the flaw allowed a hacker to read information from applications' memory at the kernel level, a space deep down in the operating system that's core to the functioning of everything on a computer. Passwords, photos, documents and other sensitive data could all be read by an attacker exploiting Meltdown, the researchers warned on a website and in a whitepaper Wednesday. They noted that "virtually every user of a personal computer" in the world was affected either by Meltdown or a related issue they named Spectre, and that the entire memory contents of a vulnerable PC could be surveilled.
If a computer is run by any Intel processor from 1995 onwards, bar Itanium and Atom chips manufactured before 2013, it's likely vulnerable, the researchers warned. And, crucially, cloud environments are also affected, as the flaw could be abused by an attacker to read memory of a virtual machine without any permissions or privileges.
Software updates are expected to land over the next week to defang the issue and users have been advised to update as soon as possible.
What's the problem?
Typically computers should separate one application from reading information passing through the kernel. But with Meltdown, that isolation is broken, so one program can read another's memory in the kernel without permission. As the researchers noted: "The bug basically melts security boundaries which are normally enforced by the hardware."
The attack exploits the way in which Intel systems handle processes where the CPU cannot be certain whether an instruction will run or not, known as speculative execution. Typically, Intel will guess at the outcome of a process, run it to get ahead of the task and return to execute code when it's figured out what to do. During that process Intel didn't successfully separate low-permission applications from accessing kernel-level memory, meaning an attacker could use a malicious application to get at that private data that should've been segregated.
Earlier on Wednesday, Erik Bosman, from the Systems and Network Security Group at the Vrije Universiteit Amsterdam in the Netherlands, tweeted what appeared to be a proof of concept hack of the vulnerability, which had been reported on but was unconfirmed at the time.
Daniel Gruss, from the Graz University of Technology, was one of the researchers who uncovered the issue, alongside academic colleagues, Google Project Zero's Jann Horn and employees of German cybersecurity firm Cyberus Technology. He told Forbes that the researchers "only have proof-of-concept code for local attacks." That meant, in the real world, an attack would require the intruder to have found a way onto the computer first. A typical cyberattack, such as a phish that installs malware, would be a likely entry point, though it's unknown if any malicious individual has attempted to carry out the hack.
The researchers said they'd only successfully exploited Meltdown on Intel chips and were unsure if the attacks would work on AMD or ARM systems. A public ARM statement indicated the British company's chips were unaffected.
Intel responds
Intel issued a statement, in which it said that it wasn't possible to modify a vulnerable system, only spy on data, adding that media reports in the nature of the issue were inaccurate. In particular, it took umbrage with the claims that the exploits were caused by a "bug" or a "flaw" and were unique to Intel products. "Intel has begun providing software and firmware updates to mitigate these exploits," the company said, noting it was working with AMD, ARM and operating system manufacturers to prevent attacks.
"Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports." It recommended downloading any available updates as soon as they are available.
Microsoft said it was in the process of deploying fixes to its cloud services and was releasing security updates today to protect Windows customers, whilst Apple hadn't responded to Forbes' request for a response. The researchers said both companies were supplying updates for Windows and Mac OS. The academics, who'd developed a fix called KAISER, also noted fixes for Linux computers were ready. And Amazon Web Services posted an advisory for its cloud customers.
Performance problems?
Intel also denied claims that performance of Intel-based computers would be significantly affected by Meltdown. One report had claimed the degradation could cause a slowdown of between 5% and 30% of typical performance. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," the company said.
Gruss said he was unsure about the potential impact on performance, telling Forbes it depended on many factors, from the processor architecture to the use case. He did agree with Intel, however, that regular computer users wouldn't be affected much by the slow down. But, he added, "unusual workloads" on older computers could be up to 50% slower.
A Spectre looms
Meltdown wasn't the only problem uncovered by the researchers, however. They detailed a related issue dubbed Spectre, which they believe is harder to address than Meltdown and for which there aren't yet patches available. As noted in a whitepaper, which contains the full technical details, Spectre attacks induce a victim application to carry out the speculative execution "that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary." Google's Jann Horn has also released his full analysis of Meltdown and Spectre.
Worryingly, it's not just Intel systems that are affected by Spectre, but computers running AMD and ARM too, the researchers claimed. That would amount to not millions, but billions of machines, they added. For instance, Gruss said Spectre attacks on AMD-based machines worked "super-reliably."
A spokesperson from AMD, however, noted that it had been contacted by Google about the issues, but that "based on the findings to date and the differences in AMD processor architecture, we believe there is near zero risk to AMD products at this time." It noted that the problems would be addressed by software and operating system updates.
ARM, meanwhile, said it was in the process of informing its partners and encouraging them to deploy the mitigations it had developed if their chips are impacted. "At this site - https://developer.arm.com/support/security-update - you can find more technical information, including the ARM cores impacted and details on how to get the software mitigations," a spokesperson said.
Spectre may also work better in exploiting cloud systems, according to Gruss. He noted that Spectre can trick a hypervisor - the software that manages virtual machines in a cloud - into leaking secrets to a guest. And, whilst he said it was not as easy to execute as Meltdown, he believes a hack can run in JavaScript. "This means that you would only have to navigate to an attacker-controlled website," he added.
#Intel #MeltdownCPU #designflaw
Add a comment...
Post has attachment
#Meltdown and #Spectre - Two serious #Security Holes in the #CPU! #AMD #Intel #Hackers #meltdownattack #spectreattack #meltdownspectre
http://bit.ly/2F9fkUQ
http://bit.ly/2F9fkUQ
![[News] Meltdown and Spectre - Two serious Security Holes in the CPU severely affect billions of devices around The World](http://web-archive.nli.org.il/National_Library/20160330061658im_///3.bp.blogspot.com/-YHoSuN-zpD4/WlHal849qzI/AAAAAAAAJHM/MrfRtC6Y2n8aZX8J5_sn8sl63iJceuk3gCLcBGAs/w530-h322-p-k/Security%2BHole%2Bon%2BCPU.png)
Add a comment...
Wait while more posts are being loaded