"Everyone Is Affected": Why The Implications Of The Intel "Bug" Are Staggering
(Technical detail at https://meltdownattack.com/)
Content adapted from this Zerohedge.com article : Source
Earlier today, we reported that according to a press reports, Intel's computer chips were affected by a bug that makes them vulnerable to hacking. Specifically, The Register said the bug lets some software gain access to parts of a computer's memory that are set aside to protect things like passwords, and making matters worse, all computers with Intel chips from the past 10 years appear to be affected. The news, which sent Intel's stock tumbling, was later confirmed by the company.
In a statement issued on Monday afternoon, Intel said it was working with chipmakers including Advanced Micro Devices Inc. and ARM Holdings, and operating system makers to develop an industrywide approach to resolving the issue that may affect a wide variety of products, adding that it has begun providing software to help mitigate the potential exploits. Computer slowdowns depend on the task being performed and for the average user "should not be significant and will be mitigated over time" the company promised despite much skepticism to the contrary.
As Bloomberg helpfully puts it, Intel's microprocessors "are the fundamental building block of the internet, corporate networks and PCs" and while Intel has added to its designs over the years trying to make computers less vulnerable to attack, arguing that hardware security is typically tougher to crack than software, there now appears to be a fundamental flaw in the design.
In a vain attempt to mitigate the damage, Intel claimed that the "flaw" was not unique to its products.
"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed," the Santa Clara, California-based company said. "Intel believes these exploits do not have the potential to corrupt, modify or delete data."
The extent of the vulnerability is huge
As Bloomberg writes, "the vulnerability may have consequences beyond just computers, and is not the result of a design or testing error." Here's how the bug "works":
All modern microprocessors, including those that run smartphones, are built to essentially guess what functions they're likely to be asked to run next. By queuing up possible executions in advance, they're able to crunch data and run software much faster.
The problem in this case is that this predictive loading of instructions allows access to data that's normally cordoned off securely, Intel Vice President Stephen Smith said on a conference call. That means, in theory, that malicious code could find a way to access information that would otherwise be out of reach, such as passwords.
Security vulnerability aside, the fix may be just as bad: it would result in a significant slowdown of the CPU, and the resultant machine.
Because the exploit takes advantage of a technology intended to accelerate the performance of the processors, the fix slows them, said the person. In devices with the current generation of Intel chips, the impact will be small, but it will be more significant on older processors. Microsoft is still looking at the impact on the speed of cloud services and how it will compensate paying customers, the person said.
"The techniques used to accelerate processors are common to the industry," said Ian Batten, a computer science lecturer at the University of Birmingham in the U.K. who specializes in computer security. The fix being proposed will definitely result in slower operating times, but reports of slowdowns of 25 percent to 30 percent are "worst case" scenarios.
Intel's troubles will likely spread far beyond just the company: Intel CEO Brian Krzanich told CNBC that a researcher at Google made Intel aware of the issue "a couple of months ago."
Google identified the researcher as Jann Horn, and said it has updated its own systems and products with protections from this kind of attack. Some customers of Android devices, Google laptops and its cloud services still need to take steps to patch security holes, the internet giant said.
"Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we're better off to get the fix in place," Krzanich said, explaining how the company responded to the issue.
On the call, Intel's Smith said the company sees no significant threat to its business from the vulnerability.
"I wouldn't expect any change in acceptance of our products," he said. "I wouldn't expect any concrete financial impact that we would see going forward."
In response to the bug, Microsoft on Wednesday released a security update for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD. The software maker has also started applying the patches to its cloud services where servers also are affected by the issue.
Meanwhile, Advanced Micro Devices, whose stock surged on news of Intel's misfortune, said "there is near zero risk" to its processors because of differences in the way they are designed and built. "To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants," the company said in a statement.
And then there are the questions about revenue and lost profit.
Quoted by Bloomberg, Frank Gillett, an analyst at Forrester Research, said that providers of computing over the internet will have to upgrade software to work around the potential vulnerability, which will require additional lines of code, computing power and energy to perform the same functions while maintaining security.
"When you're running billions of servers, a 5 percent hit is huge," he said.
At the same time, cloud providers will likely have to throttle back the pace of new customers accessing their data centers while they take servers down to fix the problem, and there could be a price spike for servers as demand surges, Gillett said.
There is another take, and according to this one the implications to both Intel and the entire CPU industry could be dire. What follows is the transcription of the Monday afternoon tweetstorm by Nicole Perlroth - cybersecurity reporter at the NYT - according to whom today's "bug" is "not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market." In fact, according to the cybersecurity expert, one aspect of the bug is extremely troubling simply because there is no fix. Here is the full explanation.
1. Apparently I don't know how to thread, so here goes my second attempt at blasting you with critical news on this "Intel Chip problem" which is not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market.
2. Christmas didn't come for the computer security industry this year. A critical design flaw in virtually all microprocessors allows attackers to dump the entire memory contents off of a machine/mobile device/PC/cloud server etc.
3. Our story on the motherlode of all vulnerabilities just posted here: https://www.nytimes.com/2018/01/03/business/computer-flaws.html. More will be post soon.
4. We're dealing with two serious threats. The first is isolated to #IntelChips, has been dubbed Meltdown, and affects virtually all Intel microprocessors. The patch, called KAISER, will slow performance speeds of processors by as much as 30 percent.
5. The second issue is a fundamental flaw in processor design approach, dubbed Spectre, which is more difficult to exploit, but affects virtually ALL PROCESSORS ON THE MARKET (Note here: Intel stock went down today but Spectre affects AMD and ARM too), and has NO FIX.
6. Spectre will require a complete re-architecture of the way processors are designed and the threats posed will be with us for an entire hardware lifecycle, likely the next decade.
7. The basic issue is the age old security dilemma: Speed vs Security. For the past decade, processors were designed to gain every performance advantage. In the process, chipmakers failed to ask basic questions about whether their design was secure. (Narrator: They were not)
8. Meltdown and Spectre show that it is possible for attackers to exploit these design flaws to access the entire memory contents of a machine. The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals...
9. Data from other customers renting space on that same Amazon/Google/Microsoft cloud server, then marches onto another cloud server to repeat the attack, stealing untold volumes of data (SSL keys, passwords, logins, files etc) in the process.
10. Basically, the motherlode. Meltdown can be exploited by any script kiddie with attack code. Spectre is harder to exploit, but nearly impossible to fix, short of shipping out new processors/hardware. The economic implications are not clear, but these are serious threats and
11. Chipmakers like Intel will have to do a full recall-- unclear if there's even manufacturing capacity for this-- OR customers will have to wait for secure processors to reach the market, and do their own risk analysis as to whether they need to swap out all affected hardware.
12. Intel is not surprisingly trying to downplay the threat of these attacks, but proof-of-concept attacks are already popping up online today, and the timeline for a full rollout of the patch is not clear. And that's just for the Meltdown threat. Spectre affects AMD and ARM too.
13. But judging by stock moves today (Intel down, AMD up), investors didn't know that, taken together, Spectre and Meltdown affect all modern microprocessors.
14. Meltdown and Spectre affect most chipmakers including those from AMD, ARM, and Intel, and all the devices and operating systems running them (GOOG, AMZN, MSFT, APPL etc).
15. The flaws were originally discovered last June by a researcher at Google Project Zero (shout out @ Jann Horn) and then separately by Paul Kocher and a crew of highly impressive researchers at Rambus and academic institutions. Originally public disclosure was set for next week
16. But news of Meltdown started to leak out (shout out @TheRegister) yesterday, so the disclosure was moved up a week to right now. The problem with this rushed timeline is that we don't necessarily know when to expect Meltdown patches from tech cos.
17. Google says its systems have been updated to defend against Meltdown security.googleblog.com/2018/01/todays…. Microsoft issued an emergency update today. Amazon said it protected AWS customers running Amazon's tailored Linux version, and would roll out the MSFT patch for other customers 2day
If the above is remotely true, the semi-space which has surged in recent week alongside the broad tech sector meltup, will have a very tough time in the coming weeks.
At this time, hack operations cannot be stopped because they have a lot of software in order to hack and sometimes they exploit the stupidity of some companies... Intel is not much interested in the privacy and security of people because it dominates the global market in of processors. If there are several companies competing intel there was a different situation... I think a AMD company will do a good job with its new processor (Rayzan). But it's not compared to Intel processors.
The worst part is that they apparently knew about this for a long time before anything was released. Their CEO even had time to make a scheduled distribution so he could sell millions of dollars of Intel stock before the news broke. Horrible.
That’s true and pretty sad
It is not true. Intel specs has the best security in the market right now. All of the big companies uses Intel for a reason. They fully trust them making own big money in play.
Please don't spread Intel's security is bad.
Thank you, my friend.@mys I also use Intel
But I mean.. Intel has no competitor.. Big companies don't have a second choice.. This makes Intel not interested in small details because it has no competitor...
As a fan of Richard Stallman and who has watched the IME issue unfold in the professional IT world, where people have completely had their head in the sand about trusting inherently untrustworthy platforms like Apple/GoogleEnterprise/Android/MSFT/AMZN.
There has yet to be an instance of news that reinforced the naive assumptions about these companies' products being basically secure.
In EVERY case, EVERY product, eventually in its life cycle is revealed to have a major vulnerability that spies and law enforcement have been exploiting for some number of years/months. They have no credibility.
Researchers in Poland and Korea have ten times more credibiilty than any of these companies.
What I am waiting to see is some man in the middle wiresharking of these low level processor vulnerabilities in action. Can someone get a switch going on capture those stealth packets?
This whole meltdown/specter/wpa2/credit record disaster this year doesn't effect most people, who run operating systems, network hardware in mobile devices that are in wide open configurations for surveillance, making them primarily surveillance devices and then secondarily whatever else they might be doing ie farmville, reading a propaganda article as every keystroke is sent back to redmond with weak encryption through 10 routers owned by different international mafias.
In every case the tinfoil hatters have been not only correct, but predictive many years in advance. So when you get ready to install that 'patch' to fix it, maybe you should think twice.
Like, IME has been PUBLIC KNOWLDGE for a LONG time, do you not think it is a weeeee bit odd that there is a big huff to install a patch for it exactly today?
It's insane. Everyone is talking about Intel being held responsible by the government. Like they're going to come down hard on them for the C-suite employees selling their stock before the news broke. Who's going to go after them? The US Gov? Who do you think has been taking advantage of this security flaw? The US Gov has known about it as long as Intel has, and there's a reason they didn't force them to fix it back then. They're the ones benefitting from it. They're not going to hold anyone responsible. Best case they find a scapegoat to appease the public.
Just Great
There is not secure systems, I don't know how this affected to my computer but I'm very scared about that
There are patches already being releases by big OS companies like Apple, Microsoft, Google for their products. Some of the patch updates have already been pushed and the rest are going to get it in the coming days.
how can a normal guy who is not having enough programming can save his computer from hacking. I think if we update every month.
Switching to Linux and using Brave as a web browser.
Use duckduckgo.com for web searches as well.
Wow, thats a nightmare!
Anyone think that this may be the backdoor for government intelligence/counterintel agencies that has been talked about in CS defense and mildef circles for the past 15 years?
What, backdoors? Never :-) Nothing to see here.
How can you think such things, Dubvdave? And: It's already suspicious to think in the first place.
Literally as I type this, I can hear the helicopters coming for me.
Off to the gulag with you!
No doubt, the backdoor has finally been found and leaked.
Why is it right before something like this happens, the CEO always sells a ton of their stock randomly just prior to the "bad news" being announced to the public. It happened with the owner of the MGM Grand who unloaded a large position right before the Vegas Shooting, it happened with the CEO of Equifax which unloaded a huge position right before they announced their massive data breach on their systems, and it happened to the CEO of Intel who sold the maximum amount of his stock position as he was literally allowed to do just before this most recent exploit was announced. Are we really just supposed to think that it's all just coincidence and chance timing? I call BULLSHIT...
https://steemit.com/steem-network/@bigcripin144/thank-you-steemit-to-all-who-love-steem-hit-upvote-why-just-steemit
Hello sir, How are you? I am happy to reading your Valuable information.
Really...It is very disgusting and matter of sorrow that computer may be hacked. This kind of hacking can not be stopped.
Here Intel is the best. They are never involved in these hateful work. They are busy to promote their application. Thank you sir @zer0hedge for sharing the precious post.