Jan 4, 2018

What you need to know about the massive chip security flaw

Illustration: Rebecca Zisser / Axios

A nasty series of vulnerabilities affecting decades of chip processors from Intel and others is the root of the broadest security hole to date, affecting nearly all computers, smartphones and servers. Companies including Apple, Amazon, Microsoft and Google are scrambling to provide software updates to their operating systems and cloud services — but researchers said the software makers can't fully address the holes the chips left open.

The bottom line: While one vulnerability is potentially limited to just Intel chips, a related flaw affects the chips used in nearly every modern device.

That means you'll want to be sure to install the latest updates for your computers, phones and tablets and even your browser. Cloud providers like Amazon's AWS and Microsoft's Azure will need updates, as will large web service providers that operate their own data centers. And even then you are only partially protected.

How the flaws work: The vulnerability is created by how chips do what is known as "speculative execution" — basically using their spare time to take on tasks that haven't specifically been requested. Unfortunately, researchers have demonstrated that the way chips handle such tasks also could give a malicious program access to protected parts of a computer's memory. There's a good explainer with more detail here.

What's affected: Virtually every device that runs on a modern chip, as well as the cloud services used by consumers and businesses. There are two separate classes of attacks.

  • One set, known as "Meltdown," seems limited to Intel processors made since 1995. Researchers say the issue can be addressed via a software update, but with a potentially significant impact on performance.
  • Another called "Spectre" affects all manner of modern chips, including processors from rival AMD as well as the ARM-based chips used in smartphones and other devices. This broader issue is harder to exploit, but also harder to address, with no one cure-all likely to work.
  • Researchers also demonstrated how a similar attack could also be used within a browser, so Mozilla, Google and other browser makers are also updating those programs.

How it happened: Researchers from Google's Project Zero and other security experts found the issue last year and reported it to AMD, Intel and ARM last June. Since then, the companies have been working on solutions. All the affected companies had planned to disclose the vulnerability next week, but moved forward the announcement as details, as well as proof-of-concept exploit code, began to leak out.

Industry response: Here's what the tech giants are doing to address the problem.

  • Microsoft issued updates for Windows 10, Windows 8 and Windows 7 as well as for its Azure cloud operating system
  • Amazon said Wednesday afternoon that "all but a small single-digit percentage of instances across the Amazon EC2 fleet" were already protected, with the remaining ones set to be finished in a few hours.
  • Google said it has released updates to Android and Chrome OS to address the issue and also has a feature in Chrome that users should turn on a feature known as "site isolation."
  • As of Wednesday evening, Apple had yet to comment on how its products are impacted.
  • Intel said it has been working with operating system vendors and hardware makers on industrywide approaches to addressing the issue and will also design future chips to avoid the issue.

The costs: Despite how widespread the problem is, Intel says it doesn't expect any significant financial impact. Other potential costs will be born by software makers creating patches and those that may see a performance impact from the software patches needed to close the security hole. It's also possible class-action lawyers may see this as a prime opportunity to litigate.

Get more stories like this by signing up for our daily tech newsletter, Login.

Go deeper

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 3 a.m. ET: 665,164 — Total deaths: 30,852 — Total recoveries: 140,225.
  2. U.S.: Leads the world in cases. Total confirmed cases as of 3 a.m. ET: 124,665 — Total deaths: 2,191 — Total recoveries: 1,095.
  3. Federal government latest: President Trump announces new travel advisories for New York, New Jersey and Connecticut, but rules out quarantine enforcement. Per the CDC, residents of those states must now "refrain from non-essential domestic travel for 14 days," with the exception of critical infrastructure industry workers.
  4. State updates: Alaska is latest state to issue a stay-at-home order — New York is trying to nearly triple its hospital capacity in less than a month and has moved its presidential primary to June 23. Some Midwestern swing voters who backed Trump's handling of the virus less than two weeks ago are balking at his call for the U.S. to be "opened up" by Easter.
  5. World updates: In Spain, over 1,400 people were confirmed dead between Thursday to Saturday.
  6. 🚀 Space updates: OneWeb filed for bankruptcy amid the novel coronavirus pandemic.
  7. Hollywood: Tom Hanks and Rita Wilson have returned to U.S. after being treated for coronavirus.
  8. What should I do? Answers about the virus from Axios expertsWhat to know about social distancingQ&A: Minimizing your coronavirus risk
  9. Other resources: CDC on how to avoid the virus, what to do if you get it.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Coronavirus updates: Global death toll tops 30,000

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's Health Ministry. Note: China numbers are for the mainland only and U.S. numbers include repatriated citizens and confirmed plus presumptive cases from the CDC

The novel coronavirus has now killed more than 30,000 people around the world — with Italy reporting over 10,000 deaths, per Johns Hopkins data.

The big picture: The number of deaths from COVID-19 in the U.S. surpassed 2,000 on Saturday. The United States leads the world in confirmed coronavirus infections — more than 124,000 by early Sunday. The number of those recovered from the virus in the U.S. passed the 1,000-mark on Saturday evening.

Go deeperArrowUpdated 3 hours ago - Health

Gilead expands access to experimental coronavirus drug in emergency cases

Photo: Olivier Douliery/AFP via Getty Images

Gilead Sciences CEO Daniel O’Day said in an open letter Saturday the company is expanding access to its experimental anti-coronavirus drug remdesivir to include severely ill COVID-19 patients.

The big pig picture: President Trump has called the antiviral drug "promising," but the results of six clinical trials on this investigational medicine are still being conducted, so its effectiveness the treatment of the novel coronavirus has yet to be proved. The World Health Organization is involved in the tests.

Go deeperArrow3 hours ago - Health