The device you’re using right now has a big security flaw — but you don’t have to panic

There’s almost certainly a critical security flaw or two in the device you’re using to read this story — but you don’t have to panic.

To varying degrees, the flaws affect processors found in virtually all computers and phones, and could allow an attacker to access data stored in a device’s memory that should typically remain private.

The researchers announced the discovery publicly this week — calling the two bugs Meltdown and Spectre — and warned the security of everything from passwords and encryption keys to documents and photos could be at risk.

‘One of the worst CPU bugs ever found’
But while the problem is serious, and an inherent part of how most modern computer processors are designed to function, there are already efforts to minimize the impact and help you get on with your life.

What do I need to do?

For most people, the same advice as usual applies: Make sure the applications and operating systems on your phones, laptops, and other devices are up to date.

If you’re using a Mac, iPhone, iPad, or Apple TV, Apple recently rolled out an update that attempts to mitigate the problem, with more fixes on the way, according to the company.

Google says the latest version of Android already contains the necessary fixes, while Microsoft pushed out an automatic update for Windows users Wednesday night.

Computers running Microsoft’s Windows operating system should automatically receive a software update designed to mitigate the Meltdown flaw disclosed by researchers this week.

PC users will also require a separate CPU update from whoever made their device (for example, Lenovo or HP). “By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years,” the chipmaker said in a press release.

You’ll also want to update apps like your web browser and anti-virus software when they become available. Developers are beginning to roll out fixes to make it more difficult for sensitive user data to be accessed.

What are these updates trying to fix?

The two flaws let attackers access parts of a computer’s memory that they shouldn’t normally have access to, by abusing the way that computer processors are designed to handle information more quickly.

One of the flaws, called Meltdown, allowed the researchers to access data stored in the kernel — the core of a computer’s operating system, which runs in a protected part of a computer’s memory, and effectively watches over everything your computer does.

By design, applications can’t access the kernel, a protection that’s built into the hardware of the CPU itself. But the researchers found a way around that, giving them access to the kernel and, from there, any data stored in a computer’s memory — which could include everything from passwords to photos. This attack has only been found to work on processors made by Intel.

“The bug basically melts security boundaries which are normally enforced by the hardware,” the researchers wrote.

HOLIDAY SHOPPING

One of the software flaws identified by researchers only affects processors made by Intel, while the other affects AMD and Intel chips as well. The processors are found in virtually all modern phones, computers, and servers.

The other flaw, called Spectre, allowed researchers to target data that applications store in a computer’s memory directly (typically, applications can’t access the memory used by other applications).

It’s related to Meltdown, but differs in a number of ways that the researchers detail in a pair of technical papers. This attack was found to work on Intel, AMD, and even ARM processors, which are commonly used in mobile devices such as smartphones and tablets.

How would someone attack?

The same way that most other types of attacks work: by gaining access to your computer.

As such, the usual advice for dealing with malicious software applies here too. Install updates when they become available, and always scrutinize the apps you install, the files you open, and the links you click.

But everything will be fine now, right?

Sort of. While Meltdown can be patched, Spectre will be much more difficult to defend against long-term because of the way that CPUs are designed — and that’s worrying, because it’s the vulnerability that affects a far wider range of chips.

The researchers say any Spectre-specific software patches for applications, operating systems or CPUs should be considered stopgaps while more research takes place.

“As it is not easy to fix, it will haunt us for quite some time,” the researchers wrote.

All of the big cloud providers — Amazon, Google and Microsoft — say their systems have been updated to help prevent Meltdown-style attacks, but customers are being advised to patch their own systems as well.

Who’s most at risk?
Home users aren’t at any more risk than usual when new bugs and flaws are discovered, as long as you install your updates.

For cloud computing providers on the other hand, this is a nightmare scenario.

In the cloud, multiple customers typically share the resources of a more powerful computer by running their applications and services in a so-called virtual machines. However, the researchers warn Meltdown can be used to access data from beyond the virtual machine — data from the host computer, or even inside other customers’ virtual machines.

All of the big cloud providers — Amazon, Google and Microsoft — say their systems have been updated to prevent Meltdown-style attacks, but customers are being advised to patch their own systems as well.

Why do these issues even exist?  The researchers sum it up pretty nicely in one of their papers: “The vulnerabilities in this paper, as well as many others, arise from a longstanding focus in the technology industry on maximizing performance” — but at the expense of security.

In fact, the flaws detailed by researchers this week are so fundamental to the design of modern processors that the only way to truly prevent any attacks is for Intel, AMD and ARM to redesign their chips. In fact, the Software Engineering Institute’s Computer Emergency Response Team (CERT) was especially blunt in its proposed solution: Get a new CPU.

Of course, that’s not going to be practical for most people and businesses, and so hardware and software companies are attempting to mitigate the two flaws’ effects with software updates the best they can.

By Matthew Braga, CBC News Posted: Jan 04, 2018 4:11 PM ET