Government advises all businesses and individuals to take urgent action against microchip flaws
Concern still mounting about ‘most disturbing issue to hit the industry for decades’
The National Cyber Security Centre (NCSC) has urged “all organisations and home users” to take action to protect themselves from the dangers posed by flaws in computer processors.
Over the last week, details have emerged of two major flaws affecting the central processing units of PCs, servers, and smartphones. The exploitation techniques – dubbed Meltdown and Spectre – could reportedly allow hackers to get through security barriers and potentially access protected information.
Experts have claimed that the flaws are present in most, if not all, devices manufactured over a period stretching back years – if not decades.
Meltdown is understood to primarily affect processors from Intel, whose microchips support more than four fifths of all PCs globally. Spectre, meanwhile, impacts Intel’s products as well as technology from other manufacturers, including main rival AMD, which manufactures about one in five of the world’s CPUs, and UK-based ARM, whose tech feature in many smartphones.
"The exposure window is huge, as it is reliant on people voluntarily patching their systems, which obviously has a significant lag"
Ross Brewer, LogRhythm
The flaws could reportedly affect chips that are up to 20 years old or more.
A blog from hardware manufacturer Apple said: “These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.”
- ICT industry demands cybersecurity boost
- How should we respond to cyber attacks on public bodies?
- UK hit by more than 30 cyberattacks requiring ‘a cross-government response’ in the last year
Apple has already released software updates designed to protect against the Meltdown flaw, with Spectre-focused patches due to follow “in the coming days”.
Intel claims to have made “significant progress” in releasing updates designed to make its products “immune from both… Spectre and Meltdown”.
“Intel has already issued updates for the majority of processor products introduced within the past five years,” the company added. “By the end of next week, Intel expects to have issued updates for more than 90% of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.”
The widespread concern has prompted the NCSC – which serves as GCHQ’s dedicated cybersecurity wing – to issue a statement explaining that, while there are, so far, no known successful hacks that have resulted from the flaws, all individual users and IT professionals should take preventive steps as soon as they can.
“We are aware of reports about a potential flaw affecting some computer processors,” it said. “At this stage, there is no evidence of any malicious exploitation and patches are being produced for the major platforms. The NCSC advises that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available.”
Both Meltdown and Spectre are exploitation techniques that work by preying on a microchip function dubbed “speculative execution”, according to the Apple blog. Speculative execution works by predicting which is the most likely path of actions the CPU will need to execute for the computer programmes it is processing. Progressing down the predicted path and pre-emptively executing the necessary actions – before the user has expressly instructed the CPU to do so – is intended to allow the PC to run more quickly.
If it predicts incorrectly, its previous executions should be seamlessly undone – without any information being fed to the software programmes running on the computer. The Meltdown and Spectre techniques can reportedly take advantage of speculative execution in a way that potentially allows a malicious application to access privileged memory information that ought to remain hidden from it.
While the NCSC and various technology companies have taken pains to point out that no malicious activity has yet been perpetrated using either of the exploits, many commentators seemingly remain uneasy.
"These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected"
Ross Brewer, Europe, Middle East, and Africa managing director at security software vendor LogRhythm said: “This is without doubt the most disturbing issue to hit the industry for decades, with all modern processors, computing devices and operating systems affected. This really is the big one, and everyone – consumers and businesses alike – must pay attention.”
He added: “Not only is the attack surface the biggest we’ve seen, with so many devices at risk globally, the exposure window is also huge as it is reliant on people voluntarily patching their systems, which obviously has a significant lag.”
A major government-commissioned study found that about half of UK organisations are lacking basic security skills. PublicTechnology talks to the researchers behind it to find out where...
We are approaching the fourth anniversary of the foundation of the NCSC and the threats it was created to respond to loom larger than ever. PublicTechnology examines the growth of the UK’...
Head of Test and Trace programme Baroness Harding says she does not want to specify a timeframe as projects often do not ‘run in a smooth way’
The UK has tended to only introduce data-protection laws in conjunction with EU legislation and, according to Ray Walsh from ProPrivacy, the post-Brexit world may see the country prioritise...
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
CyberArk's John Hurst looks at the true cost of GDPR breaches
PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right