comscore Meltdown and Spectre: Here is what Intel, AMD and others are doing to keep you safe
News

Meltdown and Spectre: Here is what Intel, AMD and others are doing to keep you safe

Here is what Intel, AMD, Microsoft, Apple are others are doing to mitigate Meltdown and Spectre vulnerability

  • Updated: January 9, 2018 10:40 AM IST
meltdown spectre main

Meltdown and Spectre are two of the most critical CPU bugs ever discovered by security researchers. Meltdown, a vulnerability that affects devices using Intel CPUs, was reported by Jann Horn of Google’s Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology and Daniel Gruss and his colleagues at Graz University of Technology. Spectre, on the other hand, affects almost all chipsets, and was independently reported by Jann Horn of Google’s Project Zero and Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom. Also Read - Google Pay will not charge transfer fee from Indian users; Google India clarifies

Also Read - 400 new games coming to Google Stadia cloud gaming platform

The two vulnerabilities, related in nature, were first privately disclosed to the concerned companies including chip makers, operating system developers and cloud computing service providers. The details related to the flaw were scheduled to be revealed to public this week, but The Register revealed the news last week forcing the companies to publicly disclose the information. Also Read - Microsoft Xbox gaming app coming to your smart TV next year

Intel was the first to confirm the Meltdown flaw affecting its CPUs designed over the past two decades. The Santa Clara-based chip manufacturer played down the risk by highlighting that software patches to mitigate the risk have been developed and will be rolled out across platforms in the coming weeks. However, it didn’t confirm whether the problem will be rectified at the chip level with future design.

What Meltdown and Spectre do?

To briefly recap, Meltdown and Spectre affect the chip-level architecture of chipsets from major semiconductor manufacturers including Intel, AMD and ARM Holdings. The flaw allows any attacker to access the low-level kernel memory that is normally protected from higher programs and user access. While there are no reports of any such attack, it is impossible to trace such an attack since they don’t leave a log of it.

Security researchers claim that Meltdown is the easiest of the two to exploit, and allows any user program to read normally protected data. Daniel Gruss hacked into his own computer to detect the flaw and even designed the procedure called KAISER or Kernel Address Isolation to have Side-channels Effectively Removed that is being used by companies to mitigate the vulnerability by defending the kernel memory from the side-channel attack.

Here is what tech companies are doing to keep you safe from these vulnerabilites.

Intel

Intel is at the center of this security flaw with Meltdown affecting all of its chipsets manufactured over the past twenty years. In its response, Intel confirmed that “these exploits do not have the potential to corrupt, modify, or delete data”, but it failed to offer explanation on what it means for existing chip design and the future generation of Intel CPUs.

The statement also does little to distinguish between Meltdown and Spectre with researchers stating that Meltdown is serious of the two, and has direct implications on Intel processors. Intel says Meltdown can be fixed with operating system level patch and confirmed working with Microsoft and Apple on the same.

For Spectre, Intel recommends inserting a serializing instruction in code between testing array bounds accessing the array. It doesn’t specify where these serializing instructions need to be added, but the addition means that test of the array bounds must be completed even before the array is accessed. This ensures that there is no speculative access to the array assuming that the test is successful. Intel’s suggestion to add a serializing instruction need to be supported and used by operating systems and must be separated from individual applications.

AMD

AMD researcher immediately confirmed that its chipsets are not affected by the Meltdown flaw. It also claimed that its chip architecture should not be affected by the branch prediction attack used by Spectre.

AMD is suggesting operating system patches for array bounds problem that Intel is mitigating with additional serializing instruction. AMD has been silent so far to share details on its approach to mitigate the issue, and how it plans to fix the issue with future chipsets.

Microsoft

Microsoft confirmed that it started patching its operating system against Meltdown vulnerability in November last year. It confirmed that Windows 10 is being mitigated against Meltdown with automatic updates, while other OS users will need to manually update their systems with latest security patch.

Microsoft is testing dual page table system with Insider builds of Windows 10, and will use hardware capabilities to reduce the performance impact caused by implementation of dual page tables. Microsoft says some third-party antivirus software break dual-page tables, and it will not implement it when a third-party anti-virus is detected. It also says that dual-page tables are not implemented with Windows Server.

In order to safeguard against Spectre, Microsoft is issuing patches to modify Edge and Internet Explorer that disable access to JavaScript SharedArrayBuffer. The array bounds attack of Spectre is a risk for web browsers in particular, and is capable of stealing passwords. Even Mozilla has patched Firefox with similar approach.

Apple

Apple designs its own chipsets and operating system for mobile devices, and relies on chipset from Intel and AMD for its computing devices. The company has confirmed that it has patched iOS, macOS and tvOS against Meltdown with the latest update. It has also confirmed that Safari will get an update to prevent against the problem.

Apple, being Apple, is not offering too much of details as to how it plans to protect its products. It seems to be relying on the standard practice of making kernel memory separate from user memory.

Amazon

Amazon has rolled out patches for its Amazon Web Services that protect shared systems against Meltdown attacks. Amazon says it hasn’t seen any impact on performance post the roll out of Meltdown patch.

Google

Google is relying on Linux’s protection to safeguard Android and Chrome OS, which depend on Linux kernels. In order to mitigate, Linux developers have taken an approach by separating the kernel’s memory from user processes, and it has been detailed with the current state of kernel page-table isolation.

Google has updated Chrome OS for x86 architecture with dual page table protection while the OS will get updated for ARM processors at a later stage. The Chrome browser, like Edge and Mozilla, has been modified to prevent precise timing of JavaScript.

For the latest tech news across the world, latest PC and Mobile games, tips & tricks, top-notch gadget reviews of most exciting releases follow BGR India’s Facebook, Twitter, subscribe our YouTube Channel.
  • Published Date: January 8, 2018 12:04 PM IST
  • Updated Date: January 9, 2018 10:40 AM IST



new arrivals in india

Xiaomi Mi 10T Pro
Xiaomi Mi 10T Pro

39,999

Infinix Hot 10
Infinix Hot 10

9,999

Vivo V20 SE
Vivo V20 SE

20,990

Vivo V20
Vivo V20

24,990

Micromax In 1b
Micromax In 1b

6,999

Micromax In Note 1
Micromax In Note 1

10,999

OnePlus 8T
OnePlus 8T

42,999

Samsung Galaxy F41
Samsung Galaxy F41

15,499

Apple iPhone 12 Pro Max
Apple iPhone 12 Pro Max

1,29,900

Apple iPhone 12 Pro
Apple iPhone 12 Pro

1,19,900

Apple iPhone 12 Mini
Apple iPhone 12 Mini

69,900

Apple iPhone 12
Apple iPhone 12

79,900

Poco X3
Poco X3

16,999

Realme Narzo 20A
Realme Narzo 20A

8,499

Realme Narzo 20
Realme Narzo 20

10,499

Realme Narzo 20 Pro
Realme Narzo 20 Pro

14,999

Oppo F17
Oppo F17

17,990

Samsung Galaxy M51
Samsung Galaxy M51

24,999

Poco M2
Poco M2

10,999

Oppo F17 Pro
Oppo F17 Pro

22,990

Realme 7 Pro
Realme 7 Pro

19,999

Realme 7
Realme 7

14,999

Xiaomi Redmi 9A
Xiaomi Redmi 9A

6,799

Vivo Y20
Vivo Y20

12,990

Xiaomi Redmi 9
Xiaomi Redmi 9

8,999

Nokia 5.3
Nokia 5.3

13,999

Motorola Moto G9
Motorola Moto G9

11,499

Realme C15
Realme C15

9,999

Realme C12
Realme C12

8,999

Samsung Galaxy Note 20
Samsung Galaxy Note 20

77,999

Xiaomi Redmi 9 Prime
Xiaomi Redmi 9 Prime

9,999

Oppo Reno4 Pro
Oppo Reno4 Pro

34,990

Samsung Galaxy M01 Core
Samsung Galaxy M01 Core

5,499

Realme 6i
Realme 6i

12,999

Asus Rog Phone 3
Asus Rog Phone 3

49,999

OnePlus Nord
OnePlus Nord

24,999

Infinix Smart 4 Plus
Infinix Smart 4 Plus

7,999

Xiaomi Redmi Note 9
Xiaomi Redmi Note 9

11,999

Samsung Galaxy M01s
Samsung Galaxy M01s

9,999

Vivo X50 Pro 5G
Vivo X50 Pro 5G

49,990

Vivo X50 5G
Vivo X50 5G

34,990

Realme C11
Realme C11

7,499

Poco M2 Pro
Poco M2 Pro

13,999

Realme X3
Realme X3

24,999

Realme X3 SuperZoom
Realme X3 SuperZoom

27,999

Tecno Spark Power 2
Tecno Spark Power 2

9,999

Oppo A12
Oppo A12

9,990

Oppo A52
Oppo A52

16,990

Samsung Galaxy A21s
Samsung Galaxy A21s

15,999

Oppo Find X2
Oppo Find X2

64,990

Motorola One Fusion Plus
Motorola One Fusion Plus

17,499

Samsung Galaxy A31
Samsung Galaxy A31

20,999

Samsung Galaxy M01
Samsung Galaxy M01

8,999

Samsung Galaxy M11
Samsung Galaxy M11

10,999

Infinix Hot 9 Pro
Infinix Hot 9 Pro

9,999

LG Velvet
LG Velvet

Price Not Available

Xiaomi Mi Note 10 Lite
Xiaomi Mi Note 10 Lite

Price Not Available

Apple iPhone SE 2020
Apple iPhone SE 2020

42,500

Honor 30 Pro
Honor 30 Pro

Price Not Available

Honor 30
Honor 30

Price Not Available

OnePlus 8
OnePlus 8

44,999

OnePlus 8 Pro
OnePlus 8 Pro

54,999

Xiaomi Redmi Note 9 Pro
Xiaomi Redmi Note 9 Pro

13,999

Motorola Moto E4
Motorola Moto E4

8,999

Samsung Galaxy On Max
Samsung Galaxy On Max

9,775

nubia N2
nubia N2

15,999

Karbonn K9 Kavach 4G
Karbonn K9 Kavach 4G

5,290

Motorola Moto C Plus
Motorola Moto C Plus

6,999

Best Sellers