Security Market Segment LS
Thursday, 04 January 2018 12:25

Fixes rushed out for Intel CPU bugs as embargo collapses Featured


Serious security flaws caused by "speculative execution" have been found in Intel CPUs from the Pentium Pro onwards, with multiple research teams being credited with the discoveries.

Software patches have been released by both the Linux kernel team and Microsoft; the Linux patch was released last month, and it was expected that there would be an embargo on releasing details of the bug until 9 January, which is when Microsoft releases its monthly updates. Microsoft released a fix overnight. The company also posted information on how it would be securing its Azure customers.

The bugs have been named Meltdown and Spectre and even have their own logos! A comprehensive account of the vulnerabilities and a Q and A is available here. Some AMD and ARM processors are also vulnerable to Spectre.

The Linux patch did not even include comments in the code, in order to keep details of the bug quiet.

But security by obscurity rarely works and it did not work in this case either. Google justified breaking the embargo, saying: "We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."

Three exploits were described: bounds check bypass, branch target injection and rogue data cache load.

While both Google's Project Zero team and Intel claimed that the bugs affected CPUs from other manufacturers too, AMD was categorical in saying that its processors were not affected. The Project Zero detailed write-up is here.

Intel said in a media statement: "Recent reports that these exploits are caused by a 'bug' or a 'flaw' and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits."

But AMD's Tom Lendacky wrote in a post to the Linux kernel mailing list: "AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.

"The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."

meltdown code

ARM said the majority of its processors were not affected. "The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism," the company said. It provided a list of the processors that it said were affected.

Linux expert Russell Coker told iTWire in response to queries: "Speculative execution is where when a program branches (eg. an 'if' condition) the CPU starts executing the code on the most likely branch and then discards it if the other branch is taken. The bug MIGHT be something like performing speculative execution without adequate access checks such that a hostile application could have an instruction in what the CPU considers the most likely code path after a branch that accesses some memory and then sees what happens when it runs. AMD CPUs apparently don't have the bug in question."

He said there was a reasonable use case for systems that did not need such kernel security. "A significant portion of Linux systems are single-user workstations. For such a system you have one UID that deals with all the data from the Internet (and is therefore at risk of compromise) which also has access to all secrets (Internet banking passwords, GPG keys, ssh keys, etc).

"On such a single-user workstation the UID in question is generally used to access root via sudo or similar, and therefore an attacker who gets that UID can get root with a little patience and not much skill. For such a single user workstation (like the systems most Linux users have on their desktops) the new kernel won't provide any real benefit."


Russell said there were some things that could be done to improve security of single-user workstations. "For starters, encourage users to use a different session for tasks that need root access, even CTRL-ALT-F1 to get a text console will do. Programs that need stored passwords or cryptographic keys (such as mail clients, GPG, ssh clients, etc) could use a proxy running under a different UID to store the secret data so a compromise of the main account wouldn't immediately give everything away.

"Such techniques could make regular user compromise on a single-user workstation inadequate to get all access and therefore make kernel security important for single user systems."

But, he added that the way current Linux workstations were used for single users (i.e. one non-root UID that does everything) meant that root access wasn't important for a hostile party. "By getting access to the regular UID of the user they can read all mail, get ssh and GPG keys, read key presses (Internet banking passwords etc), and do everything else they would want to do. For someone running such a system there probably isn't much benefit in installing a patched kernel."

Russell was quick to point out that he was not advocating the avoidance of security patches. "Note that I'm not saying 'don't install security fixes'. I'm just noting that a typical home user Linux system has bigger security problems than the potential of a hostile program finding out address space randomisation information to permit other attacks on the kernel."

He said that from what was currently known about this security flaw there was no solid information on it being directly exploitable and it seemed to be merely a way of permitting other exploits.

"But we should consider the possibility that the researchers who discovered this flaw didn't discover all the possible ways of exploiting it," he added.

"It could be that in a matter of days or weeks someone will come out with a more effective exploit which will make this more serious, i.e. direct root access rather than merely extracting data to help other exploits."

Intel shares took a beating after news of the flaws broke, with a fall of as much as 5.5%, the most since October 2016. AMD surged 8.8% on the news while Nvidia went up by 6.3%.

Subscribe to Newsletter here

WEBINAR 12 AUGUST - Why is Cyber Security PR different?

This webinar is an introduction for cyber security companies and communication professionals on the nuances of cyber security public relations in the Asia Pacific.

Join Code Red Security PR Network for a virtual conversation with leading cyber security and ICT journalists, Victor Ng and Stuart Corner, on PR best practices and key success factors for effective communication in the Asian Pacific cyber security market.

You will also hear a success story testimonial from Claroty and what Code Red Security PR has achieved for the brand.

Please register here by 11 August 2020 and a confirmation email, along with instructions on how to join the webinar will be sent to you after registration.

Aug 12, 2020 01:00 PM in Canberra, Melbourne, Sydney. We look forward to seeing you there!



It's all about Webinars.

These days our customers Advertising & Marketing campaigns are mainly focussed on Webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

For covid-19 assistance we have extended terms, a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.





Guest Opinion

Guest Interviews

Guest Reviews

Guest Research & Case Studies

Channel News