Data Centre

Rush to fix ‘serious’ computer chip vulnerability

A newly-discovered design flaw has been found on CPU’s that could allow malicious code to access data held in “protected” areas of your computer’s memory.

The vulnerability was originally thought to affect Intel chips (which are used in approx. 80% of desktop PC’s and 90% of laptops worldwide), as well as big-name cloud computing environments including Amazon EC2, Microsoft Azure, and Google.  The truth is that two separate vulnerabilities have been discovered.  The first one (called Meltdown) is known to only affect Intel chips, while the other (called Spectre) affects almost all processors.

Spectre is a problem in the fundamental way processors are designed, and the threat from Spectre is “going to live with us for decades,” said Mr. Kocher, the president and chief scientist at Cryptography Research, a division of Rambus.

“Whereas Meltdown is an urgent crisis, Spectre affects virtually all fast microprocessors,” Mr. Kocher said. An emphasis on speed while designing new chips has left them vulnerable to security issues, he said.  A fix may not be available for Spectre until a new generation of chips hit the market.

It is understood the bug is present in CPU’s produced in the past decade. It allows normal programs – from database applications to JavaScript in web browsers – to access information in the  “protected” kernel memory areas.

The kernel’s memory space is hidden from user processes and programs because it may contain all sorts of sensitive information, such as passwords, encryption keys or files cached from disk.

The fix is to separate the kernel’s memory completely from user processes using what’s called Kernel Page Table Isolation, or KPTI, but this is likely to affect performance.  It has been suggested that performance could be impacted by as much as 30%

Microsoft are rushing to push out a Windows 10 fix which should be available from 10PM tonight (UK time) with Windows 7 & 8 updates being available from Tuesday 9th Jan.

If you have a support contract with us, we will be rolling out these updates as they become available.




Leave a Reply

Your email address will not be published. Required fields are marked *