Major Flaw in Millions of Intel Chips Revealed

[CFC]

Looks troubling. Wonder if there'll be some lawsuits flying around?

Major flaw in millions of Intel chips revealed

A serious flaw in the design of Intel's chips will require Microsoft, Linux and Apple to update operating systems for computers around the world.

Intel has not yet released the details of the vulnerability, but it is believed to affect chips in millions of computers from the last decade.

The UK's National Cyber Security Centre (NCSC) said it was aware of the issue and that patches were being produced.

Some experts said a software fix could slow down computers.

"We are aware of reports about a potential flaw affecting some computer processors. At this stage there is no evidence of any malicious exploitation and patches are being produced for the major platforms," the NCSC said in a statement.

"The NCSC advises that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available."

The bug could allow malicious programs to read the contents of the so-called kernel memory of computers, which can include passwords and login keys.

It is also likely to affect major cloud computing platforms such as Amazon, Microsoft Azure and Google, according to The Register, which broke news of the flaw.

Read the rest here

 

[Swerlz]

Is this related to the hardware backdoors that was discovered in the Intel Management Engine a few months ago?

 

[JessFR]

Impossible to know until more details are released. Seems unlikely though.

 

[thujone]

All the vulnerable products are listed in this article: https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/

So nearly all Intel CPUs are vulnerable to all three exploits, AMD is thought to be vulnerable to at least one of them but also invulnerable to at least one, and most ARM designs are not vulnerable.

List of patches available now: https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/

However,

On January 3rd 2018, Microsoft released emergency out-of-band updates for Windows 7 SP1, Windows 8.1, Windows 10, and various Windows Server versions. Though these updates help to mitigate the Spectre and Meltdown speculative execution side-channel vulnerabilities, but to be fully protected you will also need to install the latest firmware & bios updates for your computer.

AMD has said microcode updates will be coming but for Intel processors there is no low-level fix, it will depend on the best effort of the OS.

 

[CFC]

^ Thanks for the Register link mate!

It affects potentially all out-of-order execution Intel processors since 1995

Until I read that, I was generally assuming I'd be OK because my Mac's Intel processors were kinda old

 

[thujone]

np, i've been following the issue closely because of all my cloud resources :S for most users, web browsers are the most important to update now, with OS updates being slightly lower priority, and microcode updates the last line of defense. Intel CPUs are just flat-out fucked, though, hopefully it leads to a class-action suit

 

[CFC]

Yeah I'm going to get right to that browser fix you suggest. I'll quote it here for anyone else who's worried (the links are in the quote):

Our advice is to sit tight, install OS and firmware security updates as soon as you can, don't run untrusted code, and consider turning on site isolation in your browser (Chrome, Firefox) to thwart malicious webpages trying to leverage these design flaws to steal session cookies from the browser process.