subscribe: Daily Newsletter

 

How to guard against chip flaws

0 comments

Fixes have been released for the vulnerabilities Meltdown and Spectre identified in many of the chips powering PCs, servers and mobile devices.
Last week UK-based news portal The Register disclosed that the two flaws, found mainly in chips from Intel but also some from AMD and ARM, could allow hackers to steal supposedly-secure data from the processor kernel.
Vendors were already well advanced in developing fixes for the vulnerabilities and may were released just a day after the news first broke.
Intel has started releasing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits.
According to a statement, Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates.
The company has already issued updates for as much as 90% of processor products introduced within the past five years.
Meanwhile, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.
Fears that the fixes would limit the performance of processors have largely been resolves. Intel reports that extensive testing has been conducted to assess any impact to system performance from the recently released security updates.
Apple, Amazon, Google and Microsoft are among those reporting that they are seeing little to no performance impact.
ARM, meanwhile, reports that the issue, related to cache timing side-channels, has been addressed by the company.
“It is important to note that it is dependent on malware running locally which means it’s imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads,” the company states.
“The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism.”
Security company ESET explains that the Spectre and Meltdown vulnerabilities are bi-products of optimisation techniques designed to increase the performance of modern processors.
These “out-of-order” and “speculative” execution techniques allow the processor to make better use of time it would have to spend waiting unnecessarily before executing the next instruction to pre-compute further results which may or may not be used in the execution flow.
These pre-computed results, if not used, are discarded — but, as researchers have shown, there are side-effects left by such precomputation which are not disposed of thoroughly enough and can sometimes be leaked to the potential attacker.
There are theoretical ways anti-virus could detect the problem, according to an ESET statement. “However, detection would have an extremely negative impact on the device’s performance and significantly influence user experience; it would be a less effective approach than prevention.
“Therefore, we recommend that ESET users keep track of any related patches for their systems and apply them as soon as possible.”
The company recommends that users ensure their browser is kept up to date, and that all operating system and security software is kept current.