In an announcement revealed on Wednesday, January 3, 2018, information security research professionals shared the news that a common processor design used by computer chip makers Intel and AMD, and mobile chip tech designer Arm contains two flaws that can allow an attacker to obtain private information such as passwords and encryption keys and ultimately expose sensitive system data. Though discovered in 2017, these flaws have existed on chips for nearly 20 years.
Since processors are critical to running our computerized devices, these vulnerabilities, known as Spectre and Meltdown, are of major concern, as they can impact everything from desktop PCs to smartphones to servers. While chip makers are affirming that they have fixes to the problems ready to go, here are a few things to know in the meantime relating to how this happened, who’s at risk, and how to protect yourself.
About the Vulnerabilities
The two vulnerabilities were discovered by researchers from Google's Project Zero, Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies Cyberus and Rambus. These researchers discovered that the two flaws could allow attackers to read sensitive information that should never leave the processor’s central processing unit.
With a successful exploit of either of the two vulnerabilities, attackers could see temporary processor data made available outside of the chip, which makes computers run faster through a process called speculative execution (guessing the information a computer needs to perform in sequence in order to help the computer deliver quicker results). While a chip is guessing via speculative execution, sensitive information that the chip is holding can be accessed in that moment.
If successfully executed, an attack targeting the Spectre flaw would allow attackers to fool the processor into starting the speculative execution process so they can read the chip’s secret data. Exploiting Meltdown would allow attackers to gain the sensitive information through a computer's operating system (i.e. Microsoft Windows, Apple's High Sierra, etc.) and also affects servers, which are vital to all major cloud services, including Amazon Web Services and Google Cloud.
Who’s at Risk
While the United States Computer Emergency Readiness Team has reported no known current examples of hackers using these vulnerabilities for computer attacks, the risks of attacks targeting these flaws beginning to emerge are now greater since the design flaw details and method of exploitation has been made public. To successfully exploit either of these flaws, attackers would have to install malicious software on a system before they could take advantage of these vulnerabilities to obtain sensitive information. However, recent history has already proven that attackers can find ways to install all kinds of malicious software on vulnerable systems.
How to Protect Yourself
Software updates and patches are already available from many computer companies and chipmakers, so it is critical for organizations to install those as they come available. Major cloud providers such as Amazon and Microsoft have asserted that they are nearly finished installing the patches and other software protections to insulate their environments from these flaws, but those using other cloud services should ask their service provider about their progress in patching the flaws. Phishing emails that attempt to trick individuals into clicking and downloading malicious software are among the most popular ways hackers can install software on a computer, so companies should continue to emphasize the dangers of phishing in their awareness programs and to continue to implement defenses designed to reduce the likelihood that phishing e-mails will be effective. It is also important to keep web browser and Flash updates installed as well.
Contact us to learn more about how LBMC Information Security’s experts can help you guard against vulnerabilities and cyber-attacks like those described here.