Security Flaws Threaten Virtually All PCs, Phones

by Moumita Deb Choudhury    Jan 04, 2018

Cybersecurity

Security experts have deciphered major security flaws that according to them enables cyber crooks to steal sensitive data from almost all latest computing device housing microprocessors from Intel, Advanced Micro Devices and ARM Holdings.

One of the bugs is specific to Intel while another affects smartphones, laptops, desktop computers, internet servers alike.

The two bugs, called Meltdown and Spectre could allow hackers to snip the entire memory contents of computers, including mobile devices, personal computers, servers running in cloud computing networks.

Intel and ARM said that the problem was not a designed one, but it will need the user to download a patch and update their operating system to fix.

“Phones, PCs, everything is going to have some impact, but it’ll vary from product to product,” said Brian Krzanich, CEO, Intel in an interview with CNBC.

There is no easy remedy for Spectre, which require redesigning the processors, according to researchers. As far as Meltdown is concerned, the software patch needed to fix the issue could slow down computers by as much as 30 percent.

“What actually happens with these flaws is different and what you do about them is different,” NYT quoted Paul Kocher, a researcher who was an integral member of a team of resaerchers at big technology companies like Google and Rambus and in academia that discovered the flaws.

Meltdown poses threat to cloud computing services run by tech companies like Microsoft, Amazon and Google. Google and Microsoft insisted that they had updated their systems to deal with the flaw.

“These vulnerabilities can have big implications. Many services can be exposed and affected. Hardware vendors will address the underlying design issue, though vulnerable systems will likely remain in operation for decades. In the meantime, software vendors are releasing patches to prevent attackers from exploiting these vulnerabilities. This will also impact system performance which may have a cumulative effect in data centers for anyone using cloud services and the internet,” said Bryce Boland, Asia Pacific Chief Technology Officer, FireEye.

Shares of Intel plummeted by 3.4 percent following the report but nudged back up 1.2 percent to $44.70 in after-hours trading. The shares in AMD were up 1 percent to $11.77, dropping many of the gains they had incurred earlier in the day when reports suggested its chips were not affected.

“The current Intel problem, if true, would likely not require CPU replacement in our opinion. However the situation is fluid,” Reuters quoted Hans Mosesmann of Rosenblatt Securities in New York who said this in a note, adding it could hurt the company’s reputation.

Commenting on the recent vulnerabilities, KK Mookhey, CEO & Founder of Network Intelligence said, “This issue represents a higher risk in cloud environments because it would be very easy to create an AWS or Azure account, start a new instance and then run the exploit to dump memory of the server which would be hosting many other instances of other customers. The attacker would then leverage the passwords or private keys dumped from memory of other servers to access those and then keep jumping across the entire network of the cloud service provider. This is why almost all cloud service providers have issued advisories and rushed to apply patches.”

“He added, ‘For enterprise customers who are not on the cloud, this issue isn’t going to bring the skies crashing down as it’s not remotely exploitable. So launching the attack would first require compromising the network and systems using some other means of attack. The widespread attack is unlikely to be seen immediately unless it gets combined with a vulnerability to first get access to the target system and then run the memory dumping exploit code (such as EternalBlue type vulnerability exploited by Wannacry),” he added.

“Large organizations will need to make a risk management decision as to how quickly they update their systems, as this can be disruptive and costly,” said Borland.

“We are yet to understand the full impact of this development, and not all details are available. At this stage, the exploitable code is not publicly available. Nation-state hackers typically use these types of vulnerabilities to develop new attack tools, and that’s likely in this case,” he added.