Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are “going to haunt us for years.”
Just hours after proof-of-concept code was tweeted, security researchers have revealed the long-awaited details of two vulnerabilities in Intel processors dating back more than two decades.
Two critical vulnerabilities found in Intel chips can let an attacker steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.
The researchers who discovered the vulnerabilities, dubbed ” Meltdown ” and ” Spectre,” said that “almost every system,” since 1995, including computers and phones, is affected by the bug. The researchers verified their findings on Intel chips dating back to 2011, and released their own proof-of-concept code to allow users to test their machines.
“An attacker might be able to steal any data on the system,” said Daniel Gruss, a security researcher who discovered the Meltdown bug, in an email to ZDNet .
“Meltdown is not only limited to reading kernel memory but it is capable of reading the entire physical memory of the target machine,” according to the paper accompanying the research.
The vulnerability affects operating systems and devices running on Intel processors developed in the past decade, including Windows, Macs, and Linux systems.
Also: Major Linux redesign in the works to deal with Intel security flaw
AMD said in a statement: “The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.”
British chipmaker ARM told news site Axios prior to this report that some of its processors, including its Cortex-A chips, are affected.
The two bugs break down a fundamental isolation that separates the kernel’s memory — core of the operating system, from low-level user processes. Meltdown lets an attacker access whatever is in the affected device’s memory, including sensitive files and data, by melting down the security boundaries typically held together by the hardware. Spectre, meanwhile, can trick apps into leaking their secrets.
One example of a worst-case scenario is a low-privileged user on a vulnerable computer could run JavaScript code on an ordinary-looking web page, which could then gain access to the contents of protected memory.
The researchers said it wasn’t known if either bug had been exploited by attackers to date. The UK’s National Cyber Security Center also said it too has seen “no evidence” of any malicious exploitation.
Despite an embargo to ensure a safe disclosure, news of the bugs first emerged Tuesday when tech site The Register reported details of the yet-to-be-released bugs.
Behind the scenes, tech giants were already working on a coordinated response to issue critical patches to their customers, and their own systems. Tech firms had until January 9 to get their houses in order.
But on Wednesday, security researcher Erik Bosman tweeted a proof-of-concept code, in part prompting an earlier release.
Microsoft released patches for Windows, outside its usual Patch Tuesday update schedule. (Windows Insiders on the fast-ring already received the patches in November.) Apple reportedly patched the flaw in macOS 10.13.2. A spokesperson did not respond to a request for comment. And, patches for Linux systems are also available.
Many cloud services running Intel-powered servers are also affected, prompting Amazon, Microsoft, and Google to patch their cloud services and schedule downtime to prevent would-be attackers from reading other processes on the same shared cloud server.
Microsoft and Amazon have announced scheduled downtime of their cloud services in the coming days.
Google said in a blog post that “as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data.”
“We have updated our systems and affected products to protect against this new type of attack,” the blog post said, and listed vulnerable and affected software. Android devices with the latest patches are not vulnerable.
Spokespeople for Amazon, Google, and Microsoft, when reached, did not immediately comment. When we hear back, we will update.
Intel also did not respond to a request for comment prior to publication, but in a statement denied that the exploits were caused by a “bug” or a “flaw.”
“Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits,” said Intel. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”
Incoming patches are expected to prevent attackers from exploiting the chips’ design flaw, but have prompted concern that chip performance will be degraded as a result.
That could result in the slowing down of home and work computers, as well as cloud services that host popular sites and services.
Intel’s statement said that “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Gruss told ZDNet that general browsing and low processor-intensive work are less likely to be affected by any slow downs.
“We have observed many workloads that are not affected much,” he said. “Generally, a large number of context switches is bad for performance when KAISER is applied,” referring to KAISER, a kernel isolation technique, which Gruss wrote a paper about last year .
“For instance doing a lot of accesses to small files, you might have slow downs of 50 percent or more,” he confirmed.