Spectre
Latest
Researchers discover new ways to abuse Meltdown and Spectre flaws
Intel has already started looking for other Spectre-like flaws, but it won't be able to move on from the Spectre/Meltdown CPU vulnerabilities anytime soon. A team of security researchers from NVIDIA and Princeton University have discovered new ways to exploit Meltdown and Spectre outside of those idenfitied in the past. The researchers developed a tool to explore how else cyber criminals could take advantage of the CPU flaws and found new techniques that could be used to extract sensitive info like passwords from devices.
Intel expands bug bounty to catch more Spectre-like security flaws
To say Intel was caught flat-footed by the Meltdown and Spectre flaws would be an understatement. However, it has a potential solution: enlist more people for help. It's widening its bug bounty program to both include more researchers and offer more incentives to spot Meltdown- and Spectre-like holes. The program is now open to all security researchers, not just by invitation, and includes sweeter rewards for discovering exploits. You now get up to $100,000 for disclosing general security flaws, and there's a new program dedicated to side channel vulnerabilities (read: issues like Spectre) that offers up to $250,000 through December 31st, 2018.
Intel releases new Spectre patch for its Skylake CPUs
More than a month after researchers revealed a pair of serious security issues affecting many modern CPUs, Intel is still working on updates that close the hole. VP Navin Shenoy has written another blog post about the situation, and said that the company has released microcode updates for Skylake-based chips to its industry partners. If one of those chips is inside your PC, you should expect to see a patch arriving shortly, and other platforms should follow "in the coming days." That includes those based on technology including (but not limited to) Broadwell and Haswell which had previously seen an update that the company withdrew after reports of random reboots. Basically, keep an eye out for more firmware and OS updates in the coming days, but we don't yet know exactly how long it will take for this mess to get sorted out on every platform.
Chrome OS update comes with Spectre fix and new screenshot shortcut
Chrome OS version 64 has made its way to stable channel, which means it's hitting your device very, very soon if it hasn't yet. It'll add a handful of new features and improvements, including a screenshot shortcut if you have a Chromebook with a 360-degree hinge like the Acer Spin. You only have to press the power and the volume down buttons at the same time, like what you'd do on an Android phone. It also adds a flag to make Split View easier to activate and gives Android apps the ability to run in the background. In addition, the update improves your lockscreen's performance, presumably making it faster, and finally enables the use of VPN for apps downloaded from Google Play.
Microsoft's new Windows 10 Spectre patch disables Intel's 'fix'
Intel recently admitted that its latest patch for "Spectre" was essentially worse than the bug it was supposed to fix, as it was causing computers to spontaneously reboot. Now, Microsoft has taken action by issuing an out-of-band patch for Windows 7, 8.1 and 10 that disables that fix for Spectre variant 2. If you're experiencing the problem you'll need to download the update, as it won't yet install automatically.
Intel told Chinese firms of Meltdown flaws before the US government
Intel may have been working with many tech industry players to address the Meltdown and Spectre flaws, but who it contacted and when might have been problematic. Wall Street Journal sources have claimed that Intel initially told a handful of customers about the processor vulnerabilities, including Chinese tech companies like Alibaba and Lenovo, but not the US government. While the chip giant does have to talk to those companies to coordinate fixes, the Chinese government routinely monitors conversations like this -- it could have theoretically exploited the holes to intercept data before patches were available.
Intel promises Spectre- and Meltdown-proof chips this year
Intel will release updated chips with built-in mitigations for Spectre and Meltdown vulnerabilities later this year. The announcement was made by chief executive Brian Krzanich during the company's fourth quarter earnings call, and follows flawed patches by Intel and Microsoft that caused random rebooting issues on older and newer CPUs. Despite its misfires, Intel reported 4 percent year-over-year growth to $17.1 billion. Still, the threat of Spectre and Meltdown looms large over the tech industry.
Apple releases Meltdown patches for older versions of macOS
Today, Apple released updates that will protect some older operating systems against the Meltdown vulnerability. Patches for High Sierra were released earlier this month and now Sierra and El Capitan will be protected as well.
Intel tells customers to stop using its faulty Spectre patch
Intel has another Spectre patch in the works, after users reported that its last fix led to random rebooting issues. Consequently, the company is now recommending that its customers stop deploying that original patch, and instead start testing out the new and improved version. Navin Shenoy, executive vice president and general manager of Intel's Data Center group, said in a blog post today that the company has "identified the root cause" for system instability in its Broadwell and Haswell chips, and it started rolling out the new patch to partners over the weekend. For now, all consumers can do is wait for a final version of that fix.
Intel admits Spectre patch problems also affect newer Core chips
Intel has revealed that even its newer CPUs are affected by the frequent reboot problems brought about by the Spectre/Meltdown patches. The chipmaker previously said that the reboot issue affects systems running Broadwell and Haswell. Now that it has managed to reproduce the problem internally in an effort to fix it, the company found that a similar behavior can occur in platforms powered by Skylake and Kaby Lake, which are newer than Haswell and Broadwell. Ivy Bridge- and Sandy Bridge-based systems, both older cores, are also susceptible to the bug. Thankfully, Intel VP Navin Shenoy said that they're close to identifying the problem's root issue. "In parallel," he added, "we will be providing beta microcode to vendors for validation by next week."
Congressman requests Meltdown and Spectre briefing from chip makers
US Representative Jerry McNerney sent a letter to Intel, AMD and ARM today requesting a briefing on the Meltdown and Spectre vulnerabilities and the companies' handling of them. McNerney, a California representative and member of the House Energy and Commerce Committee, said, "I am looking to better understand the nature of these critical vulnerabilities, the danger they pose to consumers and what steps your companies plan to take to protect consumers."
Meltdown and Spectre flaws loomed large over CES
The Meltdown and Spectre CPU vulnerabilities hung like a shadow over the festivities of CES. What's typically a celebration of consumer electronics was instead a stark reminder of just how far-reaching these issues are. And that's especially the case for Intel and AMD, both of whom unveiled fast new processors that are still vulnerable to future Spectre exploits. They each had statements about what they're doing to secure their hardware, but there was no escaping that the threat of Spectre is the new normal. That's particularly troubling when tech companies are hoping to launch smart home solutions that seep into every aspect of ours lives.
Intel’s Meltdown and Spectre fixes have some bugs of their own
Earlier this week, Intel said it would have Meltdown and Spectre fixes available by the end of the month for all recently made chips. But as the Wall Street Journal reports, some of the patches the company has released have caused some problems of their own. Some firmware updates are apparently causing computers to reboot.
AMD is deploying a patch for the second Spectre CPU vulnerability
While Intel is at the center of the Spectre/Meltdown fiasco, AMD's chips are also affected by the CPU vulnerabilities. The company previously said that the risk of exploit using variant 2 was near zero due to its chips' architecture. But in its latest announcement, it said that because both variants are still "applicable to AMD processors," it also plans to release patches for the second variant to be absolutely safe. AMD already provided PC manufacturers its fix for the first Spectre version, and Microsoft has begun rolling it out. The chipmaker also said it's working with Redmond to address a problem that delayed the distribution of patches for its older processors.
Google details how it protected services like Gmail from Spectre
Google says it already deployed anti-Spectre and Meltdown solutions to protect its products, and users didn't even notice. The downside of the patches companies are rolling out to fix the CPU vulnerabilities is that they have the potential to slow down systems. For the big G, that means slowdown for huge services like Gmail, Google Drive and Search and its Cloud products. Mountain View had to gather hundreds of engineers working across the company to find a way to protect its products. After a few months, they found a solution for Meltdown and the first variant of Spectre (two of the three vulnerabilities), which they then started rolling out way back in September. Google says it didn't get any complaint reporting performance degradation after it deployed the fix.
Intel pledges transparency after Spectre, Meltdown vulnerability
The last week or so has seen a lot of activity around Meltdown and Spectre, two CPU flaws in modern chips from the likes of AMD and Intel. Apple, Microsoft and Google have provided interim fixes for their respective hardware, but it will take much more than simple patches (that can cause more harm than good) to truly eradicate the issue. Just a few hours after Intel revealed that there may be more slowdowns from its Meltdown processor fix, the company's CEO Brian Krzanich has written an open letter to further detail the steps Intel is taking to deal with the issues.
Google shares which Chromebooks won’t get a Meltdown fix
Google has published a list that includes every Chromebook model, which are vulnerable to Meltdown and the patch status of each one. You can check out the list here. The column you'll most want to pay attention to is the one titled "CVE-2017-5754 mitigations (KPTI) on M63?" If the device has a "Yes" or a "Not needed" in that column, it's safe and if you own it, you have one less thing to worry about. A "No" in that column means the device will need an update to be protected against Meltdown. But if the device is listed as "EoL," there will be no patches for it because it's an end of life product and is no longer supported. EoL devices include Samsung Chromebook Series 5, Samsung Chromebook Series 5 550, Cr-48, Acer C7 Chromebook and Acer AC700.
Intel reveals possible slowdowns from 'Meltdown' processor fix
Your personal computers will be less than 10 percent slower after you install the Spectre/Meltdown fix, Intel has revealed in a blog post. Intel has come to that conclusion after assessing the performance changes in computers using 6th, 7th and 8th Generation Intel core processors with Windows 10. Systems equipped with 8th generation (Kaby Lake, Coffee Lake) chips and SSDs will be the least affected, with the expected impact being less than 6 percent. Devices using the 7th Gen Kaby Lake-H mobile processors will be around 7 percent slower, while the performance impact on systems with the 6th Gen Skylake-S platform is approximately 8 percent.
NVIDIA updates video drivers to help address CPU memory security (updated)
It's not just your processor and operating system that need patches for the Meltdown and Spectre memory vulnerabilities -- your graphics card does, too. To that end, NVIDIA has started releasing updated drivers that help protect against the CPU vulnerability. All its GeForce, Quadro, NVS, Tesla and GRID chips are immune to Meltdown and Spectre themselves, but the code could leave CPUs open to two Spectre variants. The new software immediately mitigates one Spectre flaw, and NVIDIA is promising future mitigations as well as eventual updates to address the second.
Microsoft says security fixes will noticeably slow older PCs
It's been clear for a while that the fixes for the Meltdown and Spectre memory vulnerabilities would slow down PCs, but just how bad is the hit, really? Microsoft has run some benchmarks, and it's unfortunately bad news if your system is less than fresh. While the patches for Meltdown and one variant of Spectre will have a "minimal performance impact," fixing a second Spectre variant through low-level microcode imposes a tangible speed penalty -- and it's particularly bad on systems released around 2015 or earlier.
