Rumors had been flying around cybersecurity circles at the turn of the year about a vulnerability affecting computers running Intel chips. As Forbes reported earlier today, some feared the issue would leave millions on millions of computers vulnerable to snooping, whilst others fretted the fix would slow down PCs dramatically, due to the dramatic changes required to fix the problem. And now researchers have revealed it could really be as widespread and severe as feared.
Dubbed Meltdown, the flaw allowed a hacker to read information from applications' memory at the kernel level, a space deep down in the operating system that's core to the functioning of everything on a computer. Passwords, photos, documents and other sensitive data could all be read by an attacker exploiting Meltdown, the researchers warned on a website and in a whitepaper Wednesday. They noted that "virtually every user of a personal computer" in the world was affected either by Meltdown or a related issue they named Spectre, and that the entire memory contents of a vulnerable PC could be surveilled.
If a computer is run by any Intel processor from 1995 onwards, bar Itanium and Atom chips manufactured before 2013, it's likely vulnerable, the researchers warned. And, crucially, cloud environments are also affected, as the flaw could be abused by an attacker to read memory of a virtual machine without any permissions or privileges.
Software updates are expected to land over the next week to defang the issue and users have been advised to update as soon as possible.
What's the problem?
Typically computers should separate one application from reading information passing through the kernel. But with Meltdown, that isolation is broken, so one program can read another's memory in the kernel without permission. As the researchers noted: "The bug basically melts security boundaries which are normally enforced by the hardware."
The attack exploits the way in which Intel systems handle processes where the CPU cannot be certain whether an instruction will run or not, known as speculative execution. Typically, Intel will guess at the outcome of a process, run it to get ahead of the task and return to execute code when it's figured out what to do. During that process Intel didn't successfully separate low-permission applications from accessing kernel-level memory, meaning an attacker could use a malicious application to get at that private data that should've been segregated.
Earlier on Wednesday, Erik Bosman, from the Systems and Network Security Group at the Vrije Universiteit Amsterdam in the Netherlands, tweeted what appeared to be a proof of concept hack of the vulnerability, which had been reported on but was unconfirmed at the time.
Daniel Gruss, from the Graz University of Technology, was one of the researchers who uncovered the issue, alongside academic colleagues, Google Project Zero's Jann Horn and employees of German cybersecurity firm Cyberus Technology. He told Forbes that the researchers "only have proof-of-concept code for local attacks." That meant, in the real world, an attack would require the intruder to have found a way onto the computer first. A typical cyberattack, such as a phish that installs malware, would be a likely entry point, though it's unknown if any malicious individual has attempted to carry out the hack.
The researchers said they'd only successfully exploited Meltdown on Intel chips and were unsure if the attacks would work on AMD or ARM systems. A public ARM statement indicated the British company's chips were unaffected.
"Meltdown is so easy to exploit that we're expecting [it] to be the significant problem for the next weeks," said Gruss.
Intel issued a statement, in which it said that it wasn't possible to modify a vulnerable system, only spy on data, adding that media reports in the nature of the issue were inaccurate. In particular, it took umbrage with the claims that the exploits were caused by a "bug" or a "flaw" and were unique to Intel products. "Intel has begun providing software and firmware updates to mitigate these exploits," the company said, noting it was working with AMD, ARM and operating system manufacturers to prevent attacks.
"Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports." It recommended downloading any available updates as soon as they are available.
Microsoft said it was in the process of deploying fixes to its cloud services and was releasing security updates today to protect Windows customers, whilst Apple hadn't responded to Forbes' request for a response. The researchers said both companies were supplying updates for Windows and Mac OS. The academics, who'd developed a fix called KAISER, also noted fixes for Linux computers were ready. And Amazon Web Services posted an advisory for its cloud customers.
Intel also denied claims that performance of Intel-based computers would be significantly affected by Meltdown. One report had claimed the degradation could cause a slowdown of between 5% and 30% of typical performance. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," the company said.
Gruss said he was unsure about the potential impact on performance, telling Forbes it depended on many factors, from the processor architecture to the use case. He did agree with Intel, however, that regular computer users wouldn't be affected much by the slow down. But, he added, "unusual workloads" on older computers could be up to 50% slower.
A Spectre looms
Meltdown wasn't the only problem uncovered by the researchers, however. They detailed a related issue dubbed Spectre, which they believe is harder to address than Meltdown and for which there aren't yet patches available. As noted in a whitepaper, which contains the full technical details, Spectre attacks induce a victim application to carry out the speculative execution "that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary." Google's Jann Horn has also released his full analysis of Meltdown and Spectre.
Worryingly, it's not just Intel systems that are affected by Spectre, but computers running AMD and ARM too, the researchers claimed. That would amount to not millions, but billions of machines, they added. For instance, Gruss said Spectre attacks on AMD-based machines worked "super-reliably."
A spokesperson from AMD, however, noted that it had been contacted by Google about the issues, but that "based on the findings to date and the differences in AMD processor architecture, we believe there is near zero risk to AMD products at this time." It noted that the problems would be addressed by software and operating system updates.
ARM, meanwhile, said it was in the process of informing its partners and encouraging them to deploy the mitigations it had developed if their chips are impacted. "At this site - https://developer.arm.com/support/security-update - you can find more technical information, including the ARM cores impacted and details on how to get the software mitigations," a spokesperson said.
For a less technical description, Gruss explained: "Think of a Star Wars movie where someone wants to steal money. Spectre is like a Jedi mind trick: you make someone else give you their money, this happens so quick that they don't realize what they're doing.
"Meltdown just grabs the money very quickly like a pickpocket. The Jedi mind trick is of course more difficult to do, but also harder to mitigate."