Intel, AMD, ARM processors have serious security flaw: Everything to know

Intel processors have a serious design flaw, which makes billions of PCs across the world vulnerable to cyber-attacks. (Image Source: AP)

The computer world is facing a ‘Meltdown’ after security vulnerabilities have been exposed on processors made by Intel, AMD, ARM and others. According to reports, Intel chips with the x86-64 hardware have a serious design flaw, which makes billions of PCs vulnerable to cyber-attacks. Additionally, the fix will result in considerably slower PC performance for many users.

The issue was first reported by technology blog The Register. Intel has officially addressed the issue. Also Google’s Project Zero team highlighted the problem, though according to them, the vulnerability extends beyond Intel, and includes ARM (their CPU architecture is commonly used on most smartphones), AMD and others. Microsoft has issued an emergency Windows 10 update for the ‘Meltdown’ vulnerability.

The researchers at Google had discovered this crucial CPU flaw last year itself, but the news has become public only now. Google’s Project Zero team hunts for zero-day security vulnerabilities across the world’s software and computer systems. Zero-day exploits are computer vulnerabilities, which have not yet been discovered. Here’s everything to know about the Intel ‘Meltdown’ vulnerability that impacts most computers across the world.

What is ‘Meltdown’ vulnerability on Intel processors? Which systems are impacted?

According to the report on The Register, the design flaw has been found on processors by Intel Corp and it affects Intel x86 processor chips, manufactured in the last decade or so. This would include a variety of devices powered by Intel processors including PCs, Macs, etc.  It impacts those running on Linux, Microsoft’s Windows and other operating systems as well. The report says Linux developers are trying to fix the problem, which does not have an easy solution.

The reports points out the design flaw in Intel processors allows normal programs to access crucial kernel memory. This should ideally remain protected because it contains sensitive information including passwords, security questions etc. If these protections to Kernel memory are bypassed, it is possible for malware or spyware programs to access such crucial data.

Intel’s Meltdown vulnerability can compromise entire server networks, not just individual computers. Google’s Project Zero team was able to demonstrate this where one virtual machine gained access to the host machine, then to another virtual machine. The so-called security flaws on Intel processors are taking place due to “speculative execution,”used by “modern processors (CPUs) to optimise performance,” points out the Project Zero team in their blog post. Speculative execution is where computer systems perform some tasks that might not actually be required.

Intel’s Meltdown vulnerability can compromise entire server networks, not just individual computers. (Image source: ThinkStock)

According to the post by Google’s security researchers, “malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. ” 

What is the fix for all of this ? What impact will it have on computers?

According to the original report by The Register, Linux developers are trying to overhaul the OS’s “kernel’s virtual memory system.” Microsoft will likely address the issue in the upcoming Patch Tuesday. The report also points out that once the fix is available, performance of Intel products will be negatively affected. Computers could slow down by 5 to 30 per cent. Coming to Apple’s 64-bit macOS, this will also need a software update to fix the problem. For now, the company has not yet issued a statement on the same.

What is Intel’s response to all of this crisis? 

Intel has issued a statement saying, “Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.” 

According to Intel, these exploits are not “caused by a ‘bug’ or a ‘flaw’ and nor are they unique to just the company’s products.” The company claims other vendor processors and OS are vulnerable to these hacking exploits as well. The statement says Intel will work with “AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively.”

Intel is also denying any performance impact and states it will not be significant for regular users. The statement adds the company had plans of disclosing this in the coming week, but was forced to issue a statement because of “inaccurate media reports”. Additionally, Intel CEO Brian Krzanich told CNBC that he was “relatively confident” that the security vulnerability had not been exploited and promised a fix was coming.

According to Intel, these exploits are not “caused by a ‘bug’ or a ‘flaw’ and nor are they unique to just the company’s products.” (Image source: Bloomberg)

What does Google’s Project Zero team have to say on this? 

If one goes by Google’s blog post, the vulnerability impacts many CPUs, “including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.” Google, on its part, has updated its own systems and products to defend against such attacks. It looks like Google was also supposed to disclose this on January 9, 2018 originally, but news reports have forced them to publish details now. Google says it has fixed the issue for Android devices which have  the latest security update, and Nexus and Pixel devices with the latest security update are protected.

The blog also says in order to actually execute such an attack, the attacker must first be able “to run malicious code on the targeted system.” The team has discovered three methods for this kind of attack where a program can read sensitive kernel memory data. Google also says there is no one fix for all three attack variants and “each requires protection independently.”