(Technical detail at https://meltdownattack.com/)
Content adapted from this Zerohedge.com article : Source
Earlier today, we reported that according to a press reports, Intel's computer chips were affected by a bug that makes them vulnerable to hacking. Specifically, The Register said the bug lets some software gain access to parts of a computer's memory that are set aside to protect things like passwords, and making matters worse, all computers with Intel chips from the past 10 years appear to be affected. The news, which sent Intel's stock tumbling, was later confirmed by the company.
In a statement issued on Monday afternoon, Intel said it was working with chipmakers including Advanced Micro Devices Inc. and ARM Holdings, and operating system makers to develop an industrywide approach to resolving the issue that may affect a wide variety of products, adding that it has begun providing software to help mitigate the potential exploits. Computer slowdowns depend on the task being performed and for the average user "should not be significant and will be mitigated over time" the company promised despite much skepticism to the contrary.
As Bloomberg helpfully puts it, Intel's microprocessors "are the fundamental building block of the internet, corporate networks and PCs" and while Intel has added to its designs over the years trying to make computers less vulnerable to attack, arguing that hardware security is typically tougher to crack than software, there now appears to be a fundamental flaw in the design.
In a vain attempt to mitigate the damage, Intel claimed that the "flaw" was not unique to its products.
"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed," the Santa Clara, California-based company said. "Intel believes these exploits do not have the potential to corrupt, modify or delete data."
The extent of the vulnerability is huge
As Bloomberg writes, "the vulnerability may have consequences beyond just computers, and is not the result of a design or testing error." Here's how the bug "works":
All modern microprocessors, including those that run smartphones, are built to essentially guess what functions they're likely to be asked to run next. By queuing up possible executions in advance, they're able to crunch data and run software much faster.
The problem in this case is that this predictive loading of instructions allows access to data that's normally cordoned off securely, Intel Vice President Stephen Smith said on a conference call. That means, in theory, that malicious code could find a way to access information that would otherwise be out of reach, such as passwords.
Security vulnerability aside, the fix may be just as bad: it would result in a significant slowdown of the CPU, and the resultant machine.
Because the exploit takes advantage of a technology intended to accelerate the performance of the processors, the fix slows them, said the person. In devices with the current generation of Intel chips, the impact will be small, but it will be more significant on older processors. Microsoft is still looking at the impact on the speed of cloud services and how it will compensate paying customers, the person said.
"The techniques used to accelerate processors are common to the industry," said Ian Batten, a computer science lecturer at the University of Birmingham in the U.K. who specializes in computer security. The fix being proposed will definitely result in slower operating times, but reports of slowdowns of 25 percent to 30 percent are "worst case" scenarios.
Intel's troubles will likely spread far beyond just the company: Intel CEO Brian Krzanich told CNBC that a researcher at Google made Intel aware of the issue "a couple of months ago."
Google identified the researcher as Jann Horn, and said it has updated its own systems and products with protections from this kind of attack. Some customers of Android devices, Google laptops and its cloud services still need to take steps to patch security holes, the internet giant said.
"Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we're better off to get the fix in place," Krzanich said, explaining how the company responded to the issue.
On the call, Intel's Smith said the company sees no significant threat to its business from the vulnerability.
"I wouldn't expect any change in acceptance of our products," he said. "I wouldn't expect any concrete financial impact that we would see going forward."
In response to the bug, Microsoft on Wednesday released a security update for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD. The software maker has also started applying the patches to its cloud services where servers also are affected by the issue.
Meanwhile, Advanced Micro Devices, whose stock surged on news of Intel's misfortune, said "there is near zero risk" to its processors because of differences in the way they are designed and built. "To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants," the company said in a statement.
And then there are the questions about revenue and lost profit.
Quoted by Bloomberg, Frank Gillett, an analyst at Forrester Research, said that providers of computing over the internet will have to upgrade software to work around the potential vulnerability, which will require additional lines of code, computing power and energy to perform the same functions while maintaining security.
"When you're running billions of servers, a 5 percent hit is huge," he said.
At the same time, cloud providers will likely have to throttle back the pace of new customers accessing their data centers while they take servers down to fix the problem, and there could be a price spike for servers as demand surges, Gillett said.
There is another take, and according to this one the implications to both Intel and the entire CPU industry could be dire. What follows is the transcription of the Monday afternoon tweetstorm by Nicole Perlroth - cybersecurity reporter at the NYT - according to whom today's "bug" is "not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market." In fact, according to the cybersecurity expert, one aspect of the bug is extremely troubling simply because there is no fix. Here is the full explanation.
1. Apparently I don't know how to thread, so here goes my second attempt at blasting you with critical news on this "Intel Chip problem" which is not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market.
2. Christmas didn't come for the computer security industry this year. A critical design flaw in virtually all microprocessors allows attackers to dump the entire memory contents off of a machine/mobile device/PC/cloud server etc.
3. Our story on the motherlode of all vulnerabilities just posted here: https://www.nytimes.com/2018/01/03/business/computer-flaws.html. More will be post soon.
4. We're dealing with two serious threats. The first is isolated to #IntelChips, has been dubbed Meltdown, and affects virtually all Intel microprocessors. The patch, called KAISER, will slow performance speeds of processors by as much as 30 percent.
5. The second issue is a fundamental flaw in processor design approach, dubbed Spectre, which is more difficult to exploit, but affects virtually ALL PROCESSORS ON THE MARKET (Note here: Intel stock went down today but Spectre affects AMD and ARM too), and has NO FIX.
6. Spectre will require a complete re-architecture of the way processors are designed and the threats posed will be with us for an entire hardware lifecycle, likely the next decade.
7. The basic issue is the age old security dilemma: Speed vs Security. For the past decade, processors were designed to gain every performance advantage. In the process, chipmakers failed to ask basic questions about whether their design was secure. (Narrator: They were not)
8. Meltdown and Spectre show that it is possible for attackers to exploit these design flaws to access the entire memory contents of a machine. The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals...
9. Data from other customers renting space on that same Amazon/Google/Microsoft cloud server, then marches onto another cloud server to repeat the attack, stealing untold volumes of data (SSL keys, passwords, logins, files etc) in the process.
10. Basically, the motherlode. Meltdown can be exploited by any script kiddie with attack code. Spectre is harder to exploit, but nearly impossible to fix, short of shipping out new processors/hardware. The economic implications are not clear, but these are serious threats and
11. Chipmakers like Intel will have to do a full recall-- unclear if there's even manufacturing capacity for this-- OR customers will have to wait for secure processors to reach the market, and do their own risk analysis as to whether they need to swap out all affected hardware.
12. Intel is not surprisingly trying to downplay the threat of these attacks, but proof-of-concept attacks are already popping up online today, and the timeline for a full rollout of the patch is not clear. And that's just for the Meltdown threat. Spectre affects AMD and ARM too.
13. But judging by stock moves today (Intel down, AMD up), investors didn't know that, taken together, Spectre and Meltdown affect all modern microprocessors.
14. Meltdown and Spectre affect most chipmakers including those from AMD, ARM, and Intel, and all the devices and operating systems running them (GOOG, AMZN, MSFT, APPL etc).
15. The flaws were originally discovered last June by a researcher at Google Project Zero (shout out @ Jann Horn) and then separately by Paul Kocher and a crew of highly impressive researchers at Rambus and academic institutions. Originally public disclosure was set for next week
16. But news of Meltdown started to leak out (shout out @TheRegister) yesterday, so the disclosure was moved up a week to right now. The problem with this rushed timeline is that we don't necessarily know when to expect Meltdown patches from tech cos.
17. Google says its systems have been updated to defend against Meltdown security.googleblog.com/2018/01/todays…. Microsoft issued an emergency update today. Amazon said it protected AWS customers running Amazon's tailored Linux version, and would roll out the MSFT patch for other customers 2day
If the above is remotely true, the semi-space which has surged in recent week alongside the broad tech sector meltup, will have a very tough time in the coming weeks.
Copying/Pasting full texts of articles from known internet personalities without their consent, and without adding anything original is frowned upon by the community.
www.zerohedge.com has confirmed that they have not given any permission for their content to be reused for profit.
Some tips to share content and add value:
Repeated copy/paste posts could be considered spam. Spam is discouraged by the community, and may result in action from the cheetah bot.
If you are actually the original author, please do reply to let us know!
Thank You!
More Info: Abuse Guide - 2017.
sucks for us true workers as we put a lot of work in for very little reward. Regarding Intel they have had backdoors for years https://www.coreboot.org/Intel_Management_Engine
At this time, hack operations cannot be stopped because they have a lot of software in order to hack and sometimes they exploit the stupidity of some companies... Intel is not much interested in the privacy and security of people because it dominates the global market in of processors. If there are several companies competing intel there was a different situation... I think a AMD company will do a good job with its new processor (Rayzan). But it's not compared to Intel processors.
The worst part is that they apparently knew about this for a long time before anything was released. Their CEO even had time to make a scheduled distribution so he could sell millions of dollars of Intel stock before the news broke. Horrible.
That’s true and pretty sad
It is not true. Intel specs has the best security in the market right now. All of the big companies uses Intel for a reason. They fully trust them making own big money in play.
Please don't spread Intel's security is bad.
Thank you, my friend.@mys I also use Intel
But I mean.. Intel has no competitor.. Big companies don't have a second choice.. This makes Intel not interested in small details because it has no competitor...
As a fan of Richard Stallman and who has watched the IME issue unfold in the professional IT world, where people have completely had their head in the sand about trusting inherently untrustworthy platforms like Apple/GoogleEnterprise/Android/MSFT/AMZN.
There has yet to be an instance of news that reinforced the naive assumptions about these companies' products being basically secure.
In EVERY case, EVERY product, eventually in its life cycle is revealed to have a major vulnerability that spies and law enforcement have been exploiting for some number of years/months. They have no credibility.
Researchers in Poland and Korea have ten times more credibiilty than any of these companies.
What I am waiting to see is some man in the middle wiresharking of these low level processor vulnerabilities in action. Can someone get a switch going on capture those stealth packets?
This whole meltdown/specter/wpa2/credit record disaster this year doesn't effect most people, who run operating systems, network hardware in mobile devices that are in wide open configurations for surveillance, making them primarily surveillance devices and then secondarily whatever else they might be doing ie farmville, reading a propaganda article as every keystroke is sent back to redmond with weak encryption through 10 routers owned by different international mafias.
In every case the tinfoil hatters have been not only correct, but predictive many years in advance. So when you get ready to install that 'patch' to fix it, maybe you should think twice.
Like, IME has been PUBLIC KNOWLDGE for a LONG time, do you not think it is a weeeee bit odd that there is a big huff to install a patch for it exactly today?
It's insane. Everyone is talking about Intel being held responsible by the government. Like they're going to come down hard on them for the C-suite employees selling their stock before the news broke. Who's going to go after them? The US Gov? Who do you think has been taking advantage of this security flaw? The US Gov has known about it as long as Intel has, and there's a reason they didn't force them to fix it back then. They're the ones benefitting from it. They're not going to hold anyone responsible. Best case they find a scapegoat to appease the public.
Just Great
There is not secure systems, I don't know how this affected to my computer but I'm very scared about that
There are patches already being releases by big OS companies like Apple, Microsoft, Google for their products. Some of the patch updates have already been pushed and the rest are going to get it in the coming days.
how can a normal guy who is not having enough programming can save his computer from hacking. I think if we update every month.
Switching to Linux and using Brave as a web browser.
Use duckduckgo.com for web searches as well.
Wow, thats a nightmare!
Anyone think that this may be the backdoor for government intelligence/counterintel agencies that has been talked about in CS defense and mildef circles for the past 15 years?
What, backdoors? Never :-) Nothing to see here.
How can you think such things, Dubvdave? And: It's already suspicious to think in the first place.
Literally as I type this, I can hear the helicopters coming for me.
Off to the gulag with you!
No doubt, the backdoor has finally been found and leaked.
Why is it right before something like this happens, the CEO always sells a ton of their stock randomly just prior to the "bad news" being announced to the public. It happened with the owner of the MGM Grand who unloaded a large position right before the Vegas Shooting, it happened with the CEO of Equifax which unloaded a huge position right before they announced their massive data breach on their systems, and it happened to the CEO of Intel who sold the maximum amount of his stock position as he was literally allowed to do just before this most recent exploit was announced. Are we really just supposed to think that it's all just coincidence and chance timing? I call BULLSHIT...
https://steemit.com/steem-network/@bigcripin144/thank-you-steemit-to-all-who-love-steem-hit-upvote-why-just-steemit
Hello sir, How are you? I am happy to reading your Valuable information.
Really...It is very disgusting and matter of sorrow that computer may be hacked. This kind of hacking can not be stopped.
Here Intel is the best. They are never involved in these hateful work. They are busy to promote their application. Thank you sir @zer0hedge for sharing the precious post.
interesting stuff!
Amazing.
AMD gets a chance now.
These things cannot be let go unpunished by markets.
Very errie! Then how safe are cryptos?
Bitcoin price is dropping due to this bug...iis it mean that the technology of blockchain is weak?
Hello follow me he has photos of my dog there it is ugly
some of linux distros have already pushed the update to fix this issue as Linux foundation has released the fix to this bug.
https://steemit.com/steem-network/@bigcripin144/thank-you-steemit-to-all-who-love-steem-hit-upvote-why-just-steemit
Free vote for you :) yayy
https://steemit.com/steem-network/@bigcripin144/thank-you-steemit-to-all-who-love-steem-hit-upvote-why-just-steemit
thank you steemit you are making my dreams come true!
Watch new and interesting thing which you have never thought @insideyou
It wouldn't surprise me if this was an intentional "bug".
Better prepare ourselves for the worst I guess.
https://steemit.com/steem-network/@bigcripin144/thank-you-steemit-to-all-who-love-steem-hit-upvote-why-just-steemit
Thanks for the great post!
https://steemit.com/steem-network/@bigcripin144/thank-you-steemit-to-all-who-love-steem-hit-upvote-why-just-steemit
amazing
https://steemit.com/hack/@haja/steemit-automated-follow-and-unfollow
Thanks @zer0hedge for your news I appreciate your post
Thanks for the valuable information
Yes, but there are powerful computers, and they have a big breakthrough
This post has received gratitude of 20.01 % from @appreciator thanks to: @zer0hedge.
https://steemit.com/steem-network/@bigcripin144/thank-you-steemit-to-all-who-love-steem-hit-upvote-why-just-steemit
Wow, sounds bewilderingly dangerous. The implications for cyberterrorism are mind blowingly complex.
That bug really affected our ticket inflow. So many inquiries regarding that as security is of great concern.
Awesome! Awesome post.
I'm pretty new on steemit
Kindly check out my introductory post
https://steemit.com/untalented/@loismark/introducing-my-humble-self-8ade5879e2383
So in short, we're not safe from hackers? Haha maybe they knew it in the first place even before they release those things to the market.
I guess this means we have to be ultra careful with our crypto passwords now that we are all on the way to being crypto millionaires.
It’s mostly a danger for passwords which have been saved though?
Or just you know, write they down on paper. As long as your house doesn't burn down you are safe.
And you don't have to buy several harddrives(several because you need backups). Who also are a lot more expensive then a piece of paper.
this sounds bad! Companies like Amazon , Google , Microsoft are already releasing patches for their part, but the cloud customers still need to patch the OS themselves.
so as a consumer, what can we do to protect ourselves? we have no choice other than to side with one company or another and trust that what they provide is trustworthy.
Hey @zer0hedge , nice to read your post. It's new for me, so I have a question. Since when it available for us? How it works simply?
A very important topic I have benefited
from some information
I did not know this.........thnx for share this post
Postnya ordinary aja, but many who like, the income of money is also a lot, well I became jealous 😑
my dell is already pretty fucking slow I can't imagine I will notice
Days like this is got me loving my AMD stock and processor!
It's hard not to believe this was not "planned".
Yeah, I posted about this yesterday. I find it somewhat depressing that even though I beat you to publishing the story by a whole day, you have more than 200 times the upvotes than I got.
Geez.
Is false. This is a design error.
Anywho, thanks for getting this in front of more people. Even if we can't do anything about it, at least we know.
this post very nice..thanks for sharing this post.
https://steemit.com/steem-network/@bigcripin144/thank-you-steemit-to-all-who-love-steem-hit-upvote-why-just-steemit
Yikes this is bad news.. did not sign into steemit and wish to hear this, but thank you mightily for sharing this information. I hope that the patching can help cover up many individual's data, and help to curve this disastrous scenario... man this is really quite scary and baffling to me, but I just hope that this does not turn out to be as bad as what it sounds... GOOD LUCK MY FRIENDS
Thanks for this. Very helpful
WOW Today you excelled yourself to put this beautiful subject
Spectre is harder to exploit that is true
The supremacy of Intel in the world of processors is undeniable. The race has the power with AMD is at the expense of other evolution and notament safety.
This article scares me, we are talking about more than ten years of processors with hundreds of output versions that powers all the computers on the planet.
The computer equips the mighty big of this world or military or government organizations; these deniers want the best and so are on intel and non AMD products.
If security vulnerabilities allow intrusions, it becomes urgent to react.
I think that some networks are closed intranet thus limit the risk but intel must react as quickly as possible.
AMD will explode these sales soon.
Thank you for this article really interesting (I am amd because not the way to buy intel ^^)
Kinda sucks that you are profiting off of somebody elses hard work...