(Bloomberg) — The world's biggest chipmakersand software companies, including Intel Corp. and Microsoft Corp.,are coming to grips with a vulnerability that leaves vast numbersof computers and smartphones susceptible to hacking andperformance slowdowns.
|Related: 6 ways cybersecurity changed in2017
|Google researchers recently discovered that a feature, presentin almost all of the billions of processors that run computers andphones around the world, could give cyberattackers unauthorized access to sensitivedata — and whose remedy could drag on device performance.News of the weakness, found last year and reported Tuesday by TheRegister technology blog, weighed on shares of Intel, the biggestsemiconductor maker, while boosting rivals including Advanced MicroDevices Inc. Intel's silence for most of Wednesday added toinvestors' unease.
|Late in the day, Intel, Microsoft, Google and other techbellwethers issued statements aimed at reassuring customers andshareholders. Intel said its chips weren't the only ones affectedand predicted no material effect on its business, while Microsoft,the largest software maker, said it released asecurity update to protect users of devices running Intel and otherchips. Google, which said the issue affects Intel, AMD and ARMHoldings Plc chips, noted that it updated most of its systems andproducts with protections from attack. Amazon.com Inc., whose AWSis No. 1 in cloud computing, said most of its affected servers havealready been secured.
|Related: 3 best practices for a layered cybersecurityprogram
|Cyber crime's new era
Hackers for decades have exploited security holes insoftware — for example, by inducing careless, unsuspectingusers to open attachments that unleash viruses or other malwareonto a device or network. The weakness uncovered by Google, bycontrast, underscores the potential damage wreaked byvulnerabilities in hardware. Complex components, such asmicroprocessors, can be harder to fix and take longer to designfrom scratch if flawed.
|"It's a big one and it's a severe one. This gives an attackercapabilities that bypass the common operating system securitycontrols that we've relied on for 20 years," said Jeff Pollard, ananalyst at Forrester Research. "There's big impact on both theconsumer and enterprise."
|Google said in a blog post that it privately informed Intel, ARMand AMD of these issues on June 1 last year to give them time tofind remedies before the vulnerabilities became public. While thecompanies were working on fixes, the same vulnerabilities wereindependently discovered by a team of researchers affiliated withseveral academic institutions and computer security firms.
|Related: 5 things to know about the NAIC's new cybersecuritymodel law
|The 'Meltdown' at hand
In research papers made public online Wednesday, this secondgroup of researchers identified a potential cyberattack that couldexploit these vulnerabilities. Calling it "Meltdown," theresearchers said that in their tests it affected Intel chips mostseriously but could also be used against ARM and AMDprocessors.
|The researchers say they discovered another potential attackthey dubbed "Spectre" that would be difficult to pull off but alsoharder to fix. In a paper on Spectre, they said that chipmakers hadlong prioritized processing speed over security. "As the costs ofinsecurity rise, these design choices need to be revisited, and inmany cases alternate implementations optimized for security will berequired," the researchers said.
|Related: 5 big cybersecurity lessons to learn from theEquifax data breach
|Intel's stock remained under pressure even after its statement.The company's shares were down 2.2 percent to $44.28 in earlytrading in New York.
|"We struggle to believe that Intel won't face some sort offinancial liability," analysts at Sanford C. Bernstein wrote in anote.
|
Hackers for decades have exploited security holes insoftware. (Photo: iStock)
|Global response
China's largest cloud computing services scrambled Thursday toaddress the issue. Domestic industry leader Alibaba Group HoldingLtd. said it planned to update its systems from 1 a.m. on Jan. 12to handle potential chip security issues. Rival Tencent HoldingsLtd. said it was in touch with Intel on possible fixes but wasn'taware of any attempted attacks.
|Applying the operating system upgrades designed to remedy theflaw could hamper performance, security experts said. The Registerreported that slowdowns could be as much as 30 percent —something Intel said would occur only in extremely unusualcircumstances. Computer slowdowns will vary based on the task beingperformed and for the average user "should not be significant andwill be mitigated over time," Intel said, adding that it has begunproviding software to help limit potential exploits.
|Intel's efforts to play down the impact resulted in a war ofwords with AMD. Intel said it's working with chipmakers includingAMD and ARM Holdings, as well as operating system makers to developan industrywide approach to resolving the issue. AMD was quick toretort, saying, "there is near-zero risk" to its processors becauseof differences in the way they are designed and built.
|Related: Sweeping cybersecurity regulations unlikely inCongress: Rep. Himes
|The threat to mobile devices
The vulnerability doesn't just affect PCs. All modernmicroprocessors, including those that run smartphones, are builtto essentially guess what functions they're likely to be asked torun next. By queuing up possible executions in advance, they'reable to crunch data and run software much faster.
|The problem in this case is that this predictive loading ofinstructions allows access to data that's normally cordoned offsecurely, Intel Vice President Stephen Smith said on a conferencecall. That means, in theory, that malicious code could find a wayto access information that would otherwise be out of reach, such aspasswords.
|"The techniques used to accelerate processors are common to theindustry," said Ian Batten, a computer science lecturer at theUniversity of Birmingham in the U.K. who specializes in computersecurity. The fix being proposed will definitely result in sloweroperating times, but reports of slowdowns of 25 percent to 30percent are "worst-case" scenarios, he said.
|Intel Chief Executive Officer Brian Krzanich told CNBC that aresearcher at Google made Intel aware of the issue "a couple ofmonths ago."
|"Our process is, if we know the process is difficult to go inand exploit, and we can come up with a fix, we think we're betteroff to get the fix in place," Krzanich said, explaining how thecompany responded to the issue.
|Related: Get ready: A cyber attack iscoming
|Tech company tap dance
Google, a unit of Alphabet Inc., identified the researcher asJann Horn. While many of its products have already been protected,some customers of Android devices, Google laptops and its cloudservices still need to take steps to patch security holes, theinternet giant said.
|Microsoft on Wednesday released a security update for itsWindows 10 operating system and older versions of the product toprotect users of devices with chips from Intel, ARM and AMD, thecompany said in a statement. Late in the day, Microsoft said themajority of Azure cloud infrastructure has been updated with thefix and most customers won't see a noticeable slowdown with theupdate.
|"We have not received any information to indicate that thesevulnerabilities had been used to attack our customers," Microsoftsaid. The fixes were originally planned for release on Jan. 9, butwere rushed out Wednesday after the weakness was made public,according to a person familiar with the situation.
|Apple Inc. didn't respond to requests for comment about how thechip issue may be affecting the company's operating systems.
|Providers of computing power and services via the internet willhave to upgrade software to work around the potentialvulnerability, which will require additional lines of code,computing resources and energy to perform the same functions whilemaintaining security, said Frank Gillett, another analyst atForrester.
|"When you're running billions of servers, a 5 percent hit ishuge," he said.
|See also:
||Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
