Massive security flaw hits Intel, AMD and Arm processors.

5/1/2018 Google’s Project Zero releases the bulletin while hardware manufacturers scramble to patch the issue.

I have posted the audio bulletin to Anchor.fm here.

A report from Project Zero describes two flaws in chip design and code intended to increase processor performance. All platforms are affected including Windows, Apple, Linux and Android.

Dubbed Meltdown and Spectre, these flaws could allow malicious code to read sections of memory used by other programs. Potentially allowing access to sensitive information like passwords, and credit card numbers as well as more technical information like encryption keys, session tokens and security certificates.

Intel, AMD and ARM are working with software manufacturers and hardware partners to issue security patches. The patches for the flaw include disabling some of the optimisation features which in some cases could result in a drop in processor performance. A majority of users should not notice any performance impact but high performance computing like research and cloud computing can expect to see a hit in processor intensive applications.

All users are advised to continue with current best practices which include:

  • Keeping operating systems up to date.
  • Checking with manufacturer websites for firmware updates.
  • Ensuring you are using the latest version web browsers like Chrome, Safari and Firefox.
  • Exercising caution when opening unknown attachments or downloading files from the internet.
  • Only obtaining legitimate software direct from publishers.

A permanent fix will require a redesign of the hardware meaning the flaws will need to remain patched until the processors are replaced. As the hardware design and manufacture cycles can take months or years it will be some time before we can put this behind us.

Users should also note that Antivirus applications are unable to detect or fix this issue as the flaw operates below the application and system levels.

The ITNews article can be found here.

The original Google Project Zero bulletin is here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.