Critical flaws put nearly all devices at risk

Meltdown affects computers that use Intel chips, while Spectre affects computers and smartphones built on Advanced Micro Devices (AMD) and ARM processors.
Meltdown affects computers that use Intel chips, while Spectre affects computers and smartphones built on Advanced Micro Devices (AMD) and ARM processors. PHOTO: REUTERS

Hardware flaws allow attackers to steal data; all users urged to apply fixes immediately

Critical hardware flaws revealed this week are putting billions of computers and smartphones at security risk, and Singapore's cyber security authority has urged all users to apply available security software fixes immediately.

Issuing the alert yesterday, the Singapore Computer Emergency Response Team (SingCert) said: "The vulnerabilities enable attackers to steal any data processed by the computer."

This includes confidential information such as passwords, which could allow them to compromise computers or entire server networks, it added.

SingCert is a unit of Singapore's Cyber Security Agency, which coordinates the nation's response to cyber threats and attacks.

So far, it has not received any reports of attacks due to the two critical flaws, dubbed Meltdown and Spectre. Meltdown affects computers that use Intel chips, while Spectre affects computers and smartphones built on Advanced Micro Devices (AMD) and ARM processors.

SingCert's advisory follows the release on Wednesday by global researchers of the full details of these two critical flaws in modern computer chips. Between them, they subject almost every computing device to snooping and data thefts.

Although billions of computers and devices are vulnerable, security fixes are already being rolled out.

It is not known if hackers have abused the flaws, first discovered by the researchers separately last year. They are from Google's Project Zero, the University of Pennsylvania, Austria's Graz University of Technology, Australia's University of Adelaide and security firms Cyberus Technology, Rambus and Data61.

ENTIRE NETWORK AT RISK

Not patching the vulnerability not only puts the data in the chip memory at risk, but also provides an entry point to critical servers and the entire corporate network.

MR STREE NAIDU, the Asia-Pacific vice-president of cyber security services firm Cato Networks, urging every user to apply available security patches immediately.

Both flaws work on the same principle that allows hackers to access the deep recesses of a computer's memory, the researchers wrote on a jointly created website.

"A malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs," they wrote. "This might include your passwords stored in a password manager or browser, your personal photos, e-mails, instant messages and even business-critical documents."

Noting that Intel dominates the global chip market for computers and data centres, cyber security firm Fortinet's security research director David Maciejak said: "This is a serious vulnerability that will exist for a long time... It will not take long for the security flaw to be exploited in the wild."

AMD and ARM dominate the rest of the computer chip market, although Samsung leads in chip making for mobile devices.

Urging every user to apply available security patches immediately, Mr Stree Naidu, the Asia-Pacific vice-president of cyber security services firm Cato Networks, said: "Not patching the vulnerability not only puts the data in the chip memory at risk, but also provides an entry point to critical servers and the entire corporate network."

On servers such as those run by Google Cloud Services, Amazon Web Services or Microsoft Azure for corporate customers, hackers can even steal data from multiple customers.

Google, Amazon and Microsoft said they have started rolling out security fixes for their cloud service platforms. Google and Microsoft have also issued security patches for their Web browsers, computers and smartphones.

Android users can accept the automatic security updates provided by device makers and reboot the devices.

A Singapore-based Microsoft spokesman said: "We have not received any information to indicate that these vulnerabilities had been used to attack our customers."

Mr Tony Jarvis, chief strategist at security software firm Check Point Software Technologies, said Apple, which uses Intel products in its laptops and desktops, has also rolled out fixes for its products running on OS X.

However, Apple has not published any information on the security fixes for its computers and smartphones to date.

Some of the patches are believed to cause slowdowns in a computer's performance by up to 30 per cent, although Intel has reportedly denied it.

A version of this article appeared in the print edition of The Straits Times on January 05, 2018, with the headline 'Critical flaws put nearly all devices at risk'. Print Edition | Subscribe