Critical Microprocessor Flaws Affect Nearly Every Machine

Researchers release details of Meltdown and Spectre attacks that allow programs to steal sensitive data.

[UPDATED 1/4/2018 7:00AM ET with Microsoft comment and emergency patch information].
After a day of speculation over a reported
design flaw in Intel processors
, security researchers came clean late today with full disclosure of a new and widespread class of attack that affects most computers worldwide.
Researchers from Googles Project Zero Team, Cyberus Technology, Graz University of Technology, University of Pennsylvania and the University of Maryland, Rambus, and University of Adelaide and Data61, all discovered critical flaws in a method used by most modern processors for performance optimization that could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails, for example. The vulnerabilities affect CPUs from Intel, AMD, and ARM, according to Google.
The two attacks, called Meltdown and Spectre, can be executed on desktop machines, laptops, mobile devices, and in cloud environments. That means an attacker could steal information from other cloud customers systems, for example.
Meltdown allows user applications to pilfer information from the operating system memory, as well as secret information of other programs. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure, the researchers
wrote in an FAQ
about the attacks. Luckily, there are
software patches against Meltdown
, referring to Linux, Windows, and OS X updates (not all of which are yet available, however).
Most Intel processors since 1995 are affected by Meltdown, with the exception of Intel Itanium and Intel Atom prior to 2013). Only Intel processors are confirmed to be affected by it so far.
Spectre forces an application to share its secrets, and is a more difficult attack to pull off. According to the researchers, application safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. It affects Intel, AMD, and ARM processors on desktops, laptops, cloud servers, and smartphones.
Both attacks use side channels to obtain the information from the accessed memory location, the researchers said.
The researchers say they dont know if the exploits have been used in the wild.
Google senior security engineer Matt Linton, and technical program manager Pat Parseghian in
a blog post
today said Google went public with the vulns in advance of the planned January 9 coordinated disclosure date for all affected vendors because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation.
Microsoft
released an emergency patch for Windows
late in the evening, after providing this statement in response to the disclosure: Were aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.
Intel earlier in the day
issued a statement
, noting that it believes these exploits do not have the potential to corrupt, modify or delete data. The chip vendors said it has been providing software and firmware updates to mitigate the attacks, and reports of peformance degradation wont be significant for the average use and will be mitigated over time.
ARM issued
a statement
as well, noting that The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism.
Amazon also issued
a statement
: This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications, Amazon said.
But fair warning: those updates protect AWSs underlying infrastructure only. Full protection requires the operating systems also be patched, Amazon noted.
Related Content:
Intel Processor Security Flaw Prompts Kernel Makeovers in Linux, Windows
The Long Tail of the Intel AMT Flaw
How the Major Intel ME Firmware Flaw Lets Attackers Get God Mode on a Machine

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Critical Microprocessor Flaws Affect Nearly Every Machine