This week, major manufacturers of computer hardware, chips and software have released security patches designed to overcome critical vulnerabilities in processors. This is a widespread issue and one that Compugen is monitoring closely and wanted to make our customers aware of.
It is Compugen’s stance that current and upcoming patches from Microsoft, Intel and other major OEMs are critical in nature and should be treated as emergency patches.
What's the issue?
Cybersecurity researchers discovered two critical vulnerabilities that exploit flaws within processors used in almost all computers, tablets and many phones. These two vulnerabilities are called Spectre and Meltdown, both of which could give unauthorized access to sensitive information stored in a computer's memory. Although there haven't been any reports of hackers exploiting these vulnerabilities, it is a concern because these breaches are directly in the processor of the computer, bypassing some conventional security measures.
How did this happen?
Researchers have tested Spectre on Intel, AMD and ARM processors and confirmed that almost every system is affected by Spectre including mobile devices and cloud infrastructures. Spectre exploits the processor's speculative execution function, used to speed up processes by guessing the execution path before the execution is completed. The vulnerability is that malicious code could be written to trick the processor into running a speculative execution that would give access to the memory address space where confidential data like passwords and security keys may be present.
Meltdown is a vulnerability that researchers have found in Intel processors that exploits the out-of-order execution feature of the processor to gain access to sensitive information in the memory of the system. The out-of-order execution is a feature used to increase speed, by sending program operations out-of-order to idle execution units when an execution unit is busy with another program operations. This is a security flaw because it allows different programs to easily access other digital memory used by other programs. Conceivably, a culprit could place a malicious program in memory that accesses other program information.
What should I do?
Tech companies including Intel, AMD, ARM, and Microsoft have been working together after these vulnerabilities were discovered to develop software patches as workarounds to fix the issues. Both Intel and Microsoft have issued updates to protect systems from these exploits. Intel system updates are for the majority of their processors made within the past five years, and are issued by system manufacturers and operating system providers. Microsoft issued updates are for supported versions of Windows including Windows 7 and Windows 8, while systems running Windows 10 should have been automatically updated on January 3rd. Some experts believe these updates will slowdown the performance of the processor, but Intel says for the average user it should not be significant.
While it important to ensure you apply all BIOS, Operating System, Web Browser and Application patches as soon as they become available, please note that Microsoft has advised that updates may cause conflict with some antivirus software. Please confirm compatibility before you proceed. Consider checking the website of your computer manufacturer, or that of your processor for situational information and remedial action. Also, only install programs from trusted sources.
For more information:
Meltdown and Spectre - meltdown attack overview