DEV Community

Ian Johnson
Ian Johnson

Posted on

Processor Security Flaws

Two security flaws in Intel, AMD and ARM processors were discovered. These flaws allow malicious users to read memory and access secrets, like passwords.

Security flaws put virtually all phones, computers at risk

Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

Update your devices as soon as possible.

Discussion (9)

Collapse
mortoray profile image
edA‑qa mort‑ora‑y

I think it's only to be expected that as the processors add more logic the likelihood of security flaws will increase. I see a potential market for having lowered power, and far less complex chips, for security intense operations...

...that is, assuming the public ever truly cares about security breaches, viruses, spam, malware etc. We've shown a strong reluctance not to care before.

Collapse
ben profile image
Ben Halpern

The other side of the coin is update lethargy (or failure to make updates pain-free). Either way, there needs to be a shift.

Passwords, updates, phishing, etc. There are a lot of security issues education, while always evolving, are pretty evergreen in the computer age and we should be teaching this stuff a lot.

Collapse
mortoray profile image
edA‑qa mort‑ora‑y

I think the shift has to be fundamental. A model that requires continuous updates is an never-ending war, and the faults will just continue. Were systems instead designed for security from the ground up then update lethargy wouldn't be as serious as a problem (though attackers have shown some extreme ingenuity in recent times).

But, as you say, unless education of the average internet user is improved, there will be no push towards any kind of security shift. This is kind of scary. In contrast, this Intel defect is really kind of harmless in contrast to what people willingly share about themselves online.

Education and awareness are probably the biggest issues.

Thread Thread
lambdude profile image
Ian Johnson Author

You just hit the nail on the head. I totally agree that this is an education issue. The average end-user doesn't know what phishing is. That just makes it easier for them to get owned by it. The same is true of many other vulnerabilities. And even more so with user practices, like using the same password over and over. Even after Equifax, the average user doesn't care. Perhaps this needs to be a bigger part of public education.

Collapse
ben profile image
Ben Halpern

This has to be the worst vulnerability I've ever heard of. It takes advantage of a layer between apps and data that users expect to be totally secure.

Collapse
orkon profile image
Alex Rudenko

I wonder if it has been exploited by someone before it became widely known. How likely is it that black hats/govts could know about it and use it secretly?

Collapse
lambdude profile image
Ian Johnson Author • Edited

From the Reuters article:

Speaking on CNBC, Intel’s Krzanich said Google researchers told Intel of the flaws “a while ago” and that Intel had been testing fixes that device makers who use its chips will push out next week. Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on Jan. 9. Google said it informed the affected companies about the “Spectre” flaw on June 1, 2017 and reported the “Meltdown” flaw after the first flaw but before July 28, 2017.

I haven't heard of any exploits in the wild yet. Although, keeping vulnerabilities secret to use as zero-day attacks is the standard operating procedure of the NSA. And if the NSA knows about it, black hats probably know about it too. I would actually be surprised if that wasn't the case.

Collapse
nektro profile image
Meghan (she/her)

SharedArrayBuffer and performance analytics are also being temporarily disabled in browsers in the mean time

Chrome: chromium.org/Home/chromium-securit...
Firefox: blog.mozilla.org/security/2018/01/...
Edge too

Collapse
isaacdlyman profile image
Isaac Lyman

If anyone's curious about how Meltdown works, here's my attempt to explain it very simply: dev.to/isaacandsuch/how-meltdown-w...