‘Meltdown’: Google team flags Intel bug that may affect billions of devices


from RT:

nformation stored on every desktop computer, smartphone and cloud server since 1995 could be accessed by hackers if two hardware bugs are exploited, a new report has warned.

On Wednesday, security researchers at Google Project Zero disclosed technical details on two security flaws that allow hackers to engage in unauthorized reads of a computer’s memory data, which may contain sensitive information such as passwords.

The researchers discovered that the vulnerabilities affect many CPUs, including those from Intel, Advanced Micro Devices (AMD) and ARM Holdings, as well as the devices and operating systems running on it.

The first method of attack, known as Spectre, can be exploited by hackers to dissolve the barrier that separates different applications and trick otherwise error-free applications into leaking information stored on their memory.

Last year, researchers demonstrated how hackers could utilize “speculative execution” – a technique used by most modern processors to optimize performance – to gain access to sensitive information.

In order to improve speeds, modern processors execute certain functions speculatively, or before it is known whether they are needed. The technique prevents the delay that would come from executing the functions after they are requested.

Jann Horn, a lead researcher for Project Zero who first reported both vulnerabilities, discovered that attackers can take advantage of this technique in order to read information on the system’s memory that should be inaccessible.

In the original report, researchers said the vulnerability affects “billions of devices” that use microprocessors from Intel, AMD, and ARM

The second flaw, known as Meltdown, allows hackers to “melt” security boundaries between user applications and the operating system normally enforced by hardware. Hackers can exploit the vulnerability to gain access to the memory of other programs and the operating system, which could include passwords and other sensitive data.

In the original report, researchers said the vulnerability affects “virtually every user of a personal computer.” However, researchers at Google’s Project Zero have only been able to show that ‘Meltdown’ affects Intel microprocessors.

Daniel Gruss, one of the researchers who originally discovered Meltdown, told Reuters the flaw is “probably one of the worst CPU bugs ever found.”

Gruss said Meltdown was the more serious attack, because it was easier for hackers to take advantage of. However, he said that Spectre was much harder to patch, and would be a bigger problem in the future.

In an overview of the attacks, researchers said it would be “unusual” for either attack to be blocked by an antivirus, since they are “hard to distinguish from regular benign applications.” Google said, however, that an attacker must first be able to run a malicious code on a computer before they can exploit the vulnerability.

Read More @ RT.com