Meltdown and Spectre: Chip hack gets a name, emergency patch and official statement from Microsoft

The story regarding the massive vulnerability in nearly every PC and apparently also phone for the last 20 years is rapidly unfolding today and more details have now been revealed by two security researchers at the centre of the discovery.

Dubbed  “Meltdown” and “Spectre,”  and in “almost every system,” the vulnerability has apparently been present since 1995 and lets hackers access data from any location in the physical memory of a system.

“An attacker might be able to steal any data on the system,” said Daniel Gruss, a security researcher.

The team confirmed that not just Intel chips are affected with some but not all AMD chips also vulnerable. AMD, however, said: “Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.”

ARM added that some of its processors, including its Cortex-A chips, are affected. Cortex-A cores are also used in Qualcomm’s popular Snapdragon series.

Using the Meltdown hack, an unprivileged application such as Javascript code could potentially read your passwords from memory and export them anywhere on the internet. Mozilla has confirmed that a Javascript-based attack is possible and are patching Firefox to mitigate this. Intel has said attackers will however not be able to modify the RAM of a PC or phone, limiting the damage somewhat.  Spectre can, however, trick applications into revealing information.

At present, the UK’s National Cyber Security Center said there is no evidence of malicious exploits in the wild, but given the scope of the vulnerability, we assume hackers are rushing to produce exploit code, with proof of concept code already being released on Twitter by security researcher Erik Bosman.

The full details of the vulnerability have now been published here.

Microsoft has released an out of band security patch to address the issue, saying in a statement:

We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.

Apple reportedly patched the flaw in macOS 10.13.2 and patches for Linux systems are also available and new processors are expected to be re-engineered further address the issue.

The Windows 10 patch will be automatically applied at 5PM ET / 2PM PT today, while patches for older versions of Windows will roll out on Patch Tuesday. Microsoft has not said if they will be patching Windows XP.

The patch has the potential to slow PCs down, but newer processors such as Skylake are less affected, and not all tasks are equally affected, with tasks such as accessing many small files more affected than simply browsing for example.

While the vulnerability has been sold as a Intel issue initially, PCs are much easier to fix than the vast raft of Android phones who are no longer receiving updates, suggesting, in the end, this may become a phone problem for well into the future.

Daniel Gruss, noting how tricky the Spectre attacks are to mitigate, said they problem are “going to haunt us for years.”

Via ZDNET, the Verge