“Researchers with Alphabet Inc’s Google Project Zero, in conjunction with academic and industry researchers from several countries, discovered two flaws,” Busvine and Nellis report. “The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory and steal passwords. The second, called Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.”
“Speaking on CNBC, Intel’s Krzanich said Google researchers told Intel of the flaws ‘a while ago’ and that Intel had been testing fixes that device makers who use its chips will push out next week,” Busvine and Nellis report. “Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on Jan. 9. Google said it informed the affected companies about the ‘Spectre’ flaw on June 1, 2017 and reported the ‘Meltdown’ flaw after the first flaw but before July 28, 2017.”
“Intel denied that the patches would bog down computers based on Intel chips,” Busvine and Nellis report. “ARM spokesman Phil Hughes said that patches had already been shared with the companies’ partners, which include many smartphone manufacturers. ‘This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory,’ Hughes said in an email. AMD chips are also affected by at least one variant of a set of security flaws but that it can be patched with a software update. The company said it believes there ‘is near zero risk to AMD products at this time.’””
Read more in the full article here.
MacDailyNews Take: Shitshow.
Intel’s official statement, verbatim:
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Source: Intel Corporation
Apple has already partially implemented fix in macOS for ‘KPTI’ Intel CPU security flaw – January 3, 2018
Intel’s massive chip flaw could hit Mac where it hurts – January 3, 2018