TECH TUESDAY: Meet Meltdown & Spectre, Intel Chip’s Latest Security Flaws

cigar

hacker-access_v2.png

Frozen micro chipI am old enough to remember when computers were considered an expensive fad. It is quite humbling, and rather awe-inspiring, to think that the home computer is more than just a mainstay in society, it is considered an essential appliance akin to the refrigerator or a stove. We carry in our hands more computer power than the entirety of NASA’s Mercury, Gemini, and Apollo missions combined, and we redefine how we connect and communicate with one another on a daily basis.

What is most humbling, though, is how reliant this technology is on a single chip, and that chip is incredibly fragile. Without it being secure and solid in its performance, computers are nothing more than paperweights.

So let’s talk a bit on that fragility.

The Intel chip – the hardware at the heart of many computer and smart device technology – has been revealed to possess newly discovered security flaws. Note, these are additional flaws to the ones that have lingered since 1995. (No, you didn’t misread that.) Fast forward two decades and some change, and researchers discover two major weaknesses in the processors that could let attackers read sensitive information that should never leave the Central Processing Unit (CPU). In both cases, attackers could see data that the processor temporarily made available outside of the chip. So why is this a concern? What kind of data does the CPU carry?

Welcome to Computers 101, something we teach here at Stratford. To make computer processes run faster, a chip essentially guesses what information the computer needs to perform next. That’s called speculative execution. As the chip guesses a future calculation, whatever sensitive information that has been entered into the computer or smart device – interpret this as “passwords” – is momentarily easier to access. One of these new flaws, Spectre, would let attackers trick the processor into starting a speculative execution process. Then attackers could read the secret data that the chip makes available as it tries to guess what function the computer is going to carry out next. The other flaw discovered – Meltdown – grants permissions to attackers the sensitive information through a computer’s operating system, such as Microsoft Windows or Apple’s High Sierra.

hacker data computer attackWith these flaws out in the open, software and hardware vendors are working hard to make this right. Intel CEO Brian Krzanich said the problems are well on their way to being fixed. They have already developed a patch for all chips, released earlier this year, that reportedly fixed 90% of the chips produced in the last five years. Also, last month, Microsoft released patches for the Windows operating system, Internet Explorer, and their new Edge browser. While this patch was supposed to aid in the repair of the Intel patch, Microsoft still warned that your antivirus software needs to be updated to support those patches. Apple said that it has released mitigations for the Meltdown flaw in order to secure their operating systems used across Mac computers, Apple TVs, iPhones and iPads. Apple has been assuring its loyal base that neither Meltdown nor Spectre affect the Apple Watch.

Researchers at Google’s Project Zero, as well as a separate team of academic researchers, discovered these problems in 2017, but Intel’s issues existed for decades. Vulnerabilities like these are widespread as Intel chips are used in devices by Apple, Google, Microsoft, and Amazon. Firefox got protection back in November, and Chromebooks received protection back in December 2017; but more and more vendors have been offering patches once the new year was underway.

Here is your takeaway: make certain that if there are going to be any updates – patches, downloads, and updates – make sure you’ve got your OS and all its repairs installed and in place. If you’ve got the latest system update from Microsoft or Apple, then you should be OK. There are no instances where anyone has exploited this vulnerability yet, but better safe than sorry.

 


 

shurtz.jpgA research physicist who has become an entrepreneur and educational leader, and an expert on competency-based education, critical thinking in the classroom, curriculum development, and education management, Dr. Richard Shurtz is the president and chief executive officer of Stratford University. He has published over 30 technical publications, holds 15 patents, and is host of the weekly radio show, Tech Talk. A noted expert on competency-based education, Dr. Shurtz has conducted numerous workshops and seminars for educators in Jamaica, Egypt, India, and China, and has established academic partnerships in China, India, Sri Lanka, Kurdistan, Malaysia, and Canada.