Meltdown
Latest
Install updates now to address a vulnerability in most Intel CPUs
In January 2018, a pair of security exploits dubbed Spectre and Meltdown showed how attackers could take advantage of commonly-implemented CPU technology to access data they shouldn't have been able to. They were followed by a similar bug, Foreshadow, late last year, and now researchers have uncovered four different techniques that exploit Intel's speculative execution technology in a similar way. The website CPU.fail has collected information about each vulnerability -- they're collectively referred to as Microarchitectural Data Sampling (MDS) -- including Zombieload, RIDL & Fallout, and Store-to-Leak Forwarding. Example code shows how the attacks could be launched using malicious JavaScript, for example, and researchers state that it would be difficult for antivirus software to detect it, however they have not found evidence of anyone using the tech in attacks so far.
MIT finds a smarter way to fight Spectre-style CPU attacks
Many companies have developed patches to mitigate Meltdown- and Spectre-like speculative memory attacks. However, they can come with compromises: they can leave major gaps and still slow down your system. MIT researchers may have a better way. They've developed a new method, Dynamically Allocated Way Guard (yes, DAWG is on purpose), that promises tight security without dragging performance through the dirt.
Intel discloses another set of processor vulnerabilities
Intel disclosed another set of processor flaws today that could let attackers steal information stored on computers or third party clouds. Discovered by a number of researchers and reported to Intel in January, the vulnerability includes three varieties. The company said in a blog post that when combined with updates released earlier this year, new updates being released today should protect most users from the vulnerability. "We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices," said Intel.
Google Chrome prevents sites from launching Spectre-like attacks
If you're using Chrome, you now have fewer reasons to worry about Spectre-style security threats. Google has revealed that Chrome 67 for desktop and the matching Chrome OS release enable a previously experimental Site Isolation feature that reduces the chances of intruders using speculative execution side-channel attacks like Spectre. The technique limits the web renderer process to content from a single site, preventing an attacker's page from sharing malicious code through an innocent page (say, though cross-site pop-ups or remotely stored scripts). In theory, sinister types can't swipe passwords or other sensitive data while you're visiting otherwise innocuous sites.
Intel details fourth Spectre-style CPU security flaw
Intel said it was expanding its bug bounty program to help find more Spectre-like processor security flaws, and unfortunately it just found one. The company (along with Google and Microsoft) has disclosed a fourth exploit (simply titled Variant 4) that once again uses speculative execution to expose some data through a side channel. The attack is so far known to work in a "language-based runtime environment" like the sort you'd see in a web browser (say, JavaScript), although Intel hadn't seen evidence of successful browser-based exploits.
AMD releases chip patches to address Spectre variant two
AMD has released a microcode update to address variant two of the Spectre chip flaw, which makes computers vulnerable to attacks that could reveal sensitive information such as passwords. It's been released alongside Microsoft's monthly "Patch Tuesday" update, which contains Spectre variant two mitigations for Windows 10.
I can’t wait for laptops with Apple’s own chips
Apple might be ready to ditch Intel's x86 chips in the Mac in favor of a custom-designed piece of silicon. At least that's the story out of Bloomberg, which believes that a transition by Apple to its own CPUs could begin by 2020. It's just a single, as yet unsubstantiated story, but it's already made a dent in Intel's share price, even if Apple is hardly its biggest customer. And yet it's clear that between Intel's recent problems and Apple's successes, it's time that divorce proceedings begin.
Intel redesigned its 8th-gen processors to patch ‘Meltdown’ flaws
As promised, Intel has redesigned its upcoming 8th-gen Xeon and Core processors to further reduce the risks of attacks via the Spectre and Meltdown vulnerabilities, CEO Brian Krzanich wrote. Those fixes are on top of the software updates already issued, which now patch "100 percent" of vulnerable Intel products launched in the past five years, he affirmed. The hardware changes will stop attacks by the Spectre variant 2 and Meltdown variant 3 weaknesses, but software fixes will still be required to patch Spectre variant 1 vulnerabilities.
Microsoft fixes more Meltdown and Spectre flaws in Windows
Microsoft has taken another step on its gargantuan journey to fortifying more than a billion PCs worldwide against Meltdown and Spectre vulnerabilities. This week's Patch Tuesday release updates PCs running x86 versions of Windows 7 and 8.1 against Meltdown, meaning that all currently supported Windows releases now include defense against this vulnerability.
Intel currently facing 32 class-action lawsuits for Spectre and Meltdown
Yesterday, Intel expanded its bug bounty program to catch more issues like the extensive Meltdown and Spectre CPU flaws, but that was too little, too late for some chip owners. We knew three class-action lawsuits were filed in early January days after the vulnerabilities were publicized, but according to an SEC filing, the total has grown to 30 multi-party suits by customers and two securities suits. Most argue that Intel violated securities laws when it assured its products were safe to use, which the Meltdown and Spectre flaws revealed to be untrue.
Researchers discover new ways to abuse Meltdown and Spectre flaws
Intel has already started looking for other Spectre-like flaws, but it won't be able to move on from the Spectre/Meltdown CPU vulnerabilities anytime soon. A team of security researchers from NVIDIA and Princeton University have discovered new ways to exploit Meltdown and Spectre outside of those idenfitied in the past. The researchers developed a tool to explore how else cyber criminals could take advantage of the CPU flaws and found new techniques that could be used to extract sensitive info like passwords from devices.
Intel expands bug bounty to catch more Spectre-like security flaws
To say Intel was caught flat-footed by the Meltdown and Spectre flaws would be an understatement. However, it has a potential solution: enlist more people for help. It's widening its bug bounty program to both include more researchers and offer more incentives to spot Meltdown- and Spectre-like holes. The program is now open to all security researchers, not just by invitation, and includes sweeter rewards for discovering exploits. You now get up to $100,000 for disclosing general security flaws, and there's a new program dedicated to side channel vulnerabilities (read: issues like Spectre) that offers up to $250,000 through December 31st, 2018.
Intel releases new Spectre patch for its Skylake CPUs
More than a month after researchers revealed a pair of serious security issues affecting many modern CPUs, Intel is still working on updates that close the hole. VP Navin Shenoy has written another blog post about the situation, and said that the company has released microcode updates for Skylake-based chips to its industry partners. If one of those chips is inside your PC, you should expect to see a patch arriving shortly, and other platforms should follow "in the coming days." That includes those based on technology including (but not limited to) Broadwell and Haswell which had previously seen an update that the company withdrew after reports of random reboots. Basically, keep an eye out for more firmware and OS updates in the coming days, but we don't yet know exactly how long it will take for this mess to get sorted out on every platform.
Microsoft's new Windows 10 Spectre patch disables Intel's 'fix'
Intel recently admitted that its latest patch for "Spectre" was essentially worse than the bug it was supposed to fix, as it was causing computers to spontaneously reboot. Now, Microsoft has taken action by issuing an out-of-band patch for Windows 7, 8.1 and 10 that disables that fix for Spectre variant 2. If you're experiencing the problem you'll need to download the update, as it won't yet install automatically.
Intel told Chinese firms of Meltdown flaws before the US government
Intel may have been working with many tech industry players to address the Meltdown and Spectre flaws, but who it contacted and when might have been problematic. Wall Street Journal sources have claimed that Intel initially told a handful of customers about the processor vulnerabilities, including Chinese tech companies like Alibaba and Lenovo, but not the US government. While the chip giant does have to talk to those companies to coordinate fixes, the Chinese government routinely monitors conversations like this -- it could have theoretically exploited the holes to intercept data before patches were available.
Intel promises Spectre- and Meltdown-proof chips this year
Intel will release updated chips with built-in mitigations for Spectre and Meltdown vulnerabilities later this year. The announcement was made by chief executive Brian Krzanich during the company's fourth quarter earnings call, and follows flawed patches by Intel and Microsoft that caused random rebooting issues on older and newer CPUs. Despite its misfires, Intel reported 4 percent year-over-year growth to $17.1 billion. Still, the threat of Spectre and Meltdown looms large over the tech industry.
Apple releases Meltdown patches for older versions of macOS
Today, Apple released updates that will protect some older operating systems against the Meltdown vulnerability. Patches for High Sierra were released earlier this month and now Sierra and El Capitan will be protected as well.
Apple's latest iOS update brings Siri news briefs and HomePod support
Siri's news reading feature is no longer limited to the beta testing crowd. Apple has officially released iOS 11.2.5, and the centerpiece is the ability to ask Siri for the latest happenings. If you're in the US, UK or Australia, you can get a briefing from a slew of local sources, such as NPR and the Washington Post in the states or the BBC and Sky News in the UK. And it doesn't have to be general news, either -- you can ask for business, music or sports news as well.
Intel admits Spectre patch problems also affect newer Core chips
Intel has revealed that even its newer CPUs are affected by the frequent reboot problems brought about by the Spectre/Meltdown patches. The chipmaker previously said that the reboot issue affects systems running Broadwell and Haswell. Now that it has managed to reproduce the problem internally in an effort to fix it, the company found that a similar behavior can occur in platforms powered by Skylake and Kaby Lake, which are newer than Haswell and Broadwell. Ivy Bridge- and Sandy Bridge-based systems, both older cores, are also susceptible to the bug. Thankfully, Intel VP Navin Shenoy said that they're close to identifying the problem's root issue. "In parallel," he added, "we will be providing beta microcode to vendors for validation by next week."
Congressman requests Meltdown and Spectre briefing from chip makers
US Representative Jerry McNerney sent a letter to Intel, AMD and ARM today requesting a briefing on the Meltdown and Spectre vulnerabilities and the companies' handling of them. McNerney, a California representative and member of the House Energy and Commerce Committee, said, "I am looking to better understand the nature of these critical vulnerabilities, the danger they pose to consumers and what steps your companies plan to take to protect consumers."
