Arthur J. Villasanta – Fourth Estate Contributor
Santa Clara, CA, United States (4E) – No real world hacks of computers and mobile phones stemming from the criminal exploitation of the extremely dangerous “Spectre” and “Meltdown” cyber security flaws present in practically all microchips ever built, and those concerned with this mind-boggling problem hope it stays this way.
These serious hardware flaws affect all the modern computer processing units — or microchips — made by Intel, Arm and AMD over the past 20 years. That’s the equivalent of tens of billions of microchips.
“The underlying vulnerability is primarily caused by CPU architecture design choices,” said the Computer Emergency Response Team (CERT), an expert group that handles computer security incidents.
“Fully removing the vulnerability requires replacing vulnerable CPU hardware.”
The belated discovery of Meltdown and Spectre has sent developers across major platforms around the world scrambling to roll out fixes for the bugs. AMD, however, claims some of the flaws don’t affect its processors at all.
Intel, AMD and Arm, , which produce practically all the computer chips used in all digital devices today, believe they can fix, or mitigate, Meltdown and Spectre with software patches. The trio, however, can’t explain why this flaw exists and why it took them all of 20 years to discover it. They keep insisting Meltdown and Spectre aren’t design flaws.
Apple admits that all iPhones, iPads and Mac computers are affected by Meltdown and Spectre. It said it’s already released some patches but there was no evidence that the vulnerability has been exploited.
Meltdown and Spectre lets hackers circumvent the hardware barrier that exists between applications run by users and the computer’s memory. This flaw allows hackers to read the system’s memory.
Meltdown, the more dangerous of the two, affects laptops, desktop computers and internet servers equipped with Intel chips. It allows hackers to steal data, including passwords saved in Web browsers. Meltdown is specific to Intel.
Meltdown affects the kernel memory on all Intel x86 processor chips that manufactured over the past decade. This makes it possible for hackers to take advantage of other security flaws or expose secure information, including passwords. This will expose individual computers and entire server networks to hacks.
On the other hand, Spectre is a bug affecting chips in smartphones and tablets. It enables hackers to manipulate apps into leaking sensitive information. Although Spectre is seen as less dangerous than Meltdown, it’s expected to be more difficult to patch.
Intel, Intel and ARM said users will be required to download a patch and update their operating systems to fix the flaws.
Microsoft, Apple and Linux, the companies that developed the world’s three major operating systems, are all issuing updates that should serve as a fix for the vulnerability.
The flaws have been described as “probably one of the worst CPU (central processing unit) bugs ever found.”
Consumers have been advised to check with their device makers and operating system providers for all security updates and install any updates as soon as possible.
An update is on the way for Apple laptops and desktops. Chromebook users with the older versions will need to install an update. Chrome web browser users are expected to receive a patch on January 23.
“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” said Apple.
“These issues apply to all modern processors and affect nearly all computing devices and operating systems.”
Apple said it had already released mitigations against Meltdown in its latest iPhones and iPad operating system update — iOS 11.2 and the macOS 10.12.2 — for its MacBooks and iMacs.
Meltdown does not affect the Apple Watch since the bug was an issue with Intel processors not contained in that device.
Patches against Spectre, in the form of an update to web browser Safari, will be released “in the coming days.”
Google has posted a full list of affected products and their updated security status on its website.
It said its Android phones, which account for over 80% of the global market, are protected if users had the latest security updates. It revealed a new security update dated Jan. 5 will include “mitigations” to help protect phones, and future updates will include more such fixes.
On Jan. 23, a new version of Google Chrome should also include mitigations to protect desktops and phones from web-based attacks.
Microsoft has already released fixes for many of its services. It released a security update on Jan. 3 to help mitigate the issue. Windows 10 will automatically download necessary security updates, and often install them itself.
Amazon Web Services, Google Cloud Platform, Microsoft Azure and other major cloud services say they’ve been able to patch most of their services and will release fixes for the rest soon.
“It’s a big one and it’s a severe one,” said Jeff Pollard, an analyst at Forrester Research. “This gives an attacker capabilities that bypass the common operating system security controls that we’ve relied on for 20 years. There’s big impact on both the consumer and enterprise.”
Article – All Rights Reserved.
Provided by FeedSyndicate