Intel and other chipset manufacturing companies such as ARM and AMD, and their clients including Apple did not start this new year as happy as it seems. This is after a security analyst discovered vulnerabilities in the design of the chipset which, without a system update could be used to steal sensitive data on your computer like passwords and emails.
Not only computers but also other systems such as cloud computing are affected by these vulnerabilities. Apple has acknowledged that the vulnerabilities affect almost its entire line of products especially iOS devices and Mac.
“All Mac systems and iOS devices are affected,” their support document reads, “but there are no known exploits impacting customers at this time, we recommend downloading software only from trusted sources such as the App Store.”
Apple highlighted the magnitude of the vulnerabilities in their support document.
In relation to the flaws, the UK’s National Cyber Security Centre (NCSC) has said that it is aware of the issue and that patches were being produced. The NCSC has also advised that all organizations and home users should continue to protect their systems from imminent threats by installing patches and updates as soon as they become available.
The vulnerabilities that were found on almost major computing CPUs are about what is known as speculative execution issues. These apply to all modern processors, but the hackers and attackers have not yet exploited the opportunity. For the vulnerabilities to be used by exploits, hackers need a malicious program to execute their command and thank goodness, the app has not yet been developed. The vulnerabilities that were uncovered are Meltdown and Spectre. These vulnerabilities affect speculative execution which improves the CPUs speed and performance by operating on multiple instructions at once. Any exploit on the vulnerabilities will give access to privileged memory including the kernel and put everything at risk.
Meltdown is a name researchers gave the exploitation technique known as rogue data cache load or CVE-2017-5754. The technique gives user processes privilege to read the kernel memory. According to Apple, this is the vulnerability that has the most chances that hackers can exploit.
Similar to Meltdown, Spectre is a name given to exploitation techniques, but this vulnerability is different as it covers two exploitation techniques; bounds check bypass or CVE-2017-5753 and branch target injection or CVE-2017-5715. Unlike meltdown, Spectre makes the kernel memory to be available to user processes. This is achieved by taking advantage of the delay in time that CPUs take to check the validity of a memory access call.
To get back its reputation, Intel is working closely with other chip manufacturing companies such as AMD, ARM Holdings and also several operating system vendors. They aim to develop an industry-wide approach that resolves and patch the vulnerabilities promptly and constructively. Intel has already begun rolling out software and firmware updates to mitigate these exploits. Check with your operating system vendor for other updates.
Apple has also released mitigations for the Meltdown vulnerability in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Luckily, the Apple Watch wasn’t affected, and its watchOS did not require any mitigation.
In terms of performance regarding the mitigation process, public benchmarks have shown no measurable in both Mac OS. iOS and in common web browsing. Apple pointed this out as earlier claims insisted that these patches will impact performance by 30% lower than the normal. Apple has also promised to relay a patch for the Spectre vulnerability very soon. Intel also downplayed the claims by pointing out that,
“for the average user, performance impacts should not be significant and will be mitigated over time,”