SAN FRANCISCO — A design flaw disclosed Wednesday in Intel and some other computer chips could have allowed an attacker to view hidden information such as passwords meant to be securely stored on the chip.
Hardware and software manufacturers, including Apple and Microsoft, began pushing out patches Wednesday that protected against attacks making use of the flaw.
The flaw, which Intel dubbed a side-channel analysis attack, was discovered “months ago” Intel CEO Brian Krzanich said on CNBC Wednesday. The discovery was made by researchers at Google’s Project Zero security group, which reported it to the affected companies.
The vulnerabilities undermine some of the most fundamental security constraints employed by modern computers, said Craig Young, a researcher at computer security company Tripwire.
“An an attacker can run code on an affected processor, which leaks information stored in the computer’s memory. This includes things like passwords and cryptographic keys, as well as information needed to more effectively exploit other vulnerabilities,” he said.
A central processing unit, or CPU, is the chip that handles the instructions a computer receives from hardware and software. It is sometimes called the “brain” of the computer.
The security flaw takes advantage of a technique called “speculative execution” used by most modern computer processors to optimize performance. It anticipates what information might be needed next and makes it available, speeding computing, Intel staff said on a conference call with reporters and analysts Wednesday afternoon.
There have been no examples of the flaw being exploited by hackers that Intel or other researchers are aware of, Steve Smith with Intel’s Data Center Engineering Group, said on the call.
The flaws could potentially affect almost all computers built in the past decade. Exactly how difficult such attacks might be to pull off, and how much information could be gained, was not initially clear.
The newly-revealed design flaw allows potential attackers to read secure memory on the chip. According to the Google researchers, the vulnerability affects central processing units made by Advanced Micro Devices, ARM and Intel, and therefore the devices and operating systems that run on them.
Wednesday afternoon chip-maker Advanced Micro Devices said in a statement that the research “was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.”
Given that, AMD said it believed there was “near zero risk to AMD products at this time.”
ntel (INTC) stock fell 3% on Wednesday as news of the flaw spread
If an attacker were to make use of the flaw, it could slow most computers down by as much as 2%. Operations that require lots of information and instructions to be sent through the CPU could see slowdowns of as much as 30%, Intel officials said on the Wednesday call.
Intel said it was working with hardware and software companies to push out fixes to the problem. The company said new chips it is working on will be constructed so that the exploit cannot be used on them, while firmware and software for older CPUs will be updated.
A group of computer industry firms had been working on the issue for several months and had planned to disclose the flaw on January 9. However a news report by the computer security news site The Register on Tuesday forced companies to speed up their response.
courtesy= usatoday.com
