January 25, 2018
On January 3, 2018, the first major security vulnerability of the year was reported. According to technical researchers, a flaw was found in Intel, AMD and Arm core processors that allow kernel memory to be leaked, allowing personal information such as usernames, passwords, login keys and files cached from disk to be taken by hackers. The vulnerabilities, known as Meltdown for Intel processors and Spectre for AMD and Arm processors, are currently in the process of receiving patches.
The crux of the issue is that the affected Intel processors have a flaw that leaves them vulnerable to a “malicious program reading protected areas of a device’s kernel memory, a flaw that could potentially expose protected information like passwords.” This flaw is so ingrained into the processors that it will require a massive OS-level overwrite to patch and fix, on basically every major operating system (Windows, Linux, and macOS). And this issue is not just limited to personal or corporate systems; this flaw will affect major cloud computing providers, including popular environments such as Amazon EC2, Microsoft Azure, and Google Compute Engine.
The leading patch to remediate this issue is to completely sever the kernel memory from user processes. The kernel would be moved into a separate address space, isolating it from all processes to the point that it’s not even involved in any system calls. As a result, this could cause systems with a patched OS to see a drop in performance, anywhere from a “five to 30 percent slowdown, depending on the task and processor model.”
Perhaps most disturbingly, this is said to be a vulnerability that can affect all processors made in the past ten years, but is only now being found out by white hat security researchers. Who knows how long hackers and state actors have known about and exploited this for malicious purposes? A patch for Linux systems is being scrambled together right now, and Microsoft is expected to release a fix in its next cycle of Patch Tuesday.
More information can be found via this link.
Contributed by Shawn McEvoy, Project Manager for United States Patent and Trademark Office (USPTO)