Android, Antivirus, Apple, Chromebook, Enterprise, Internet Security, iPhone, Mobile, OS X

CPU Security Flaw (Meltdown and Spectre) – What you need to know

Processors (CPUs) provide the brainpower for all the computerized devices we use day to day, from PCs and smartphones down…

Published 7 years ago in
CPU Security Flaw (Meltdown and Spectre) – What you need to know

Processors (CPUs) provide the brainpower for all the computerized devices we use day to day, from PCs and smartphones down to mundane things such as ATMs. Therefore an exploit – or exploits – that affects virtually all of these devices at the same time is a shocking thing to hear about.

Unfortunately, early 2018 saw just such a thing happen with the news that a design flaw in nearly all modern processors had been found.
 

What are Meltdown and Spectre?

Meltdown and Spectre are the names given to the two newly discovered vulnerabilities that affect virtually every device with a processor in it.

They rely on retrieving small amounts of data that are made available outside of the processor temporarily. This happens due to a design in processors called “speculative execution”.

This is the process where a CPU essentially guesses what information it will need next to function quickly.

Spectre allows attackers to force the processor itself to start the speculative execution process. They then access the extra data to obtain sensitive information that should never be available.

Meltdown fundamentally breaks down the mechanism that stops applications from accessing system memory. By doing so it enables exploits to access arbitrary system memory to retrieve sensitive data.
 

Who discovered them?

Both exploits were independently discovered by multiple teams of researchers.

Meltdown

  • Jann Horn (Google Project Zero)
  • Werner Haas, Thomas Prescher (Cyberus Technology)
  • Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz(Graz University of Technology)

Spectre

  • Jann Horn (Google Project Zero)
  • Paul Kocher in collaboration with Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)

 

What systems are affected?

On a technical level, every Intel processor that implements out-of-order execution (speculative execution) is potentially affected. This includes almost all Intel processors dating back all the way to 1995!
A portion of AMD processors and ARM processors are also affected.

All desktop, laptop and cloud computing services may be affected by Meltdown.
 

Am I affected by Meltdown and Spectre?

Yes!

This may seem like a very blunt answer but due to the wide-reaching nature of the design flaw, you almost certainly have a device that will have been affected.
 

Does my antivirus protect me?

Antivirus programs could theoretically detect the use of these exploits, however, in practice it is very unlikely. It is possible that your antivirus could detect malware designed to exploit these vulnerabilities but not the actual vulnerabilities themselves.
 

How do I protect myself?

The Meltdown exploit is able to be fixed with a software patch as it relies on breaking the isolation between user apps and the operating system.

Computers fitted with a vulnerable processor and running unpatched operating systems will be open to exploit.

Fortunately, Operating system vendors have released relevant patches to protect their users. As long as you regularly update your operating system using built-in update tools, you should be fully protected from the Meltdown vulnerability.

As usual, it is best to operate safe web browsing habits and not install any potential malware on to your device that may potentially make use of these vulnerabilities.

Spectre has proven to be much harder to protect from as it is executed at the hardware level.

Initial advice so far is to follow the basic steps (similar to meltdown):

  • Update your operating system frequently
  • Install updates from your hardware manufacturer (firmware updates)
  • Turn on isolation mode in your web browser ( Chrome and Firefox ) – This prevents exploits in javascript from utilizing Spectre vulnerability.

 

What next?

The main thing for most people to do is to not panic. If you have followed the basic security steps and best practices above then you will almost certainly be safe.

It is important to note that some of the security patches that have been released may deliver a performance hit to your device. This is a widespread complaint and many of the operating system vendors recognize this as an issue.

They have stated that the performance hit should not be noticeable to the average user, however, hits to performance are “highly variable and depend on a number of factors”.

If you feel like your device performance has been significantly affected, do some research on whichever update you just installed. Other people may have suggestions and/or the vendor themselves may recognize a compatibility issue with certain device setups.
 

Conclusion

The shock release of these two huge vulnerabilities should be a wakeup call to the entire world.

It is increasingly important in this day and age to be ever vigilant about what information you store on your devices.

More importantly, users and companies should focus on preventative practices, such as being aware of potential malware that could expose devices to cybercriminals.
For more advice on what users should look out for in 2018, check our article – Internet security threats to look out for in 2018

/ / / /

Be the first to write a comment.

Leave a Reply

Your email address will not be published. Required fields are marked *

Internet Security

Oregon passes bill to establish legal control standards for digital assets

Key Takeaways Oregon passed Senate Bill 167 to update commercial laws and include digital assets in the UCC. The new law allows digital assets to be used as collateral and recognizes electronic records and signatures. Share this article Oregon has enacted Senate Bill 167, updating the state’s commercial laws to incorporate digital assets into the

Published 15 hours ago in
Oregon passes bill to establish legal control standards for digital assets

Key Takeaways

  • Oregon passed Senate Bill 167 to update commercial laws and include digital assets in the UCC.
  • The new law allows digital assets to be used as collateral and recognizes electronic records and signatures.

Share this article

Oregon has enacted Senate Bill 167, updating the state’s commercial laws to incorporate digital assets into the Uniform Commercial Code (UCC).

The legislation, signed by Governor Tina Kotek on May 7, introduces UCC Article 12, which creates a legal framework for digital assets including crypto assets, tokenized records, and electronic money.

The bill amends Article 9 to allow digital assets to be used as collateral in secured transactions. It also updates several UCC articles to recognize electronic records, signatures, and hybrid transactions to support digital commerce.

The new law includes transitional provisions that maintain the validity of transactions made before the act’s effective date and provides a one-year period for existing security interests to comply with the new regulations.

Before these changes, there was legal uncertainty about how digital assets fit into existing commercial laws, especially when used as collateral or transferred between parties. The UCC amendments clarify how rights in these assets can be legally controlled, perfected, and enforced.

Apart from SB 167, House Bill 2071 is another crypto-related bill introduced in Oregon.

This proposed legislation focuses on blockchain and digital asset rights. It is aimed at protecting and promoting the use of Bitcoin and other digital assets in the state by limiting regulatory barriers and clarifying the legal framework for blockchain-based activities.

Some of the highlights of the bill include a prohibition on state and local governments from restricting or impairing a person’s ability to accept digital assets as payment for lawful goods and services, as well as the right to conduct peer-to-peer transactions via blockchain or digital asset networks.

The bill is still in the early stages of the legislative process and has not yet advanced to a vote in either the House or the Senate.

Unlike most US states, Oregon lawmakers have not proposed any bill to create a state Bitcoin reserve as of now.

Share this article

?xml>
Read More

Continue Reading
Internet Security

White House rejects parts of Trump advisers’ sovereign wealth fund proposal

Key Takeaways The White House has rejected parts of a sovereign wealth fund proposal created by Trump’s advisers. The details of the sovereign wealth fund are still under debate with no final decisions announced yet. Share this article The White House has opposed certain elements of a sovereign wealth fund proposal developed by Treasury Secretary

Published 15 hours ago in
White House rejects parts of Trump advisers’ sovereign wealth fund proposal

Key Takeaways

  • The White House has rejected parts of a sovereign wealth fund proposal created by Trump’s advisers.
  • The details of the sovereign wealth fund are still under debate with no final decisions announced yet.

Share this article

The White House has opposed certain elements of a sovereign wealth fund proposal developed by Treasury Secretary Scott Bessent and Commerce Secretary Howard Lutnick at President Trump’s request, according to a new report from CBS News.

The plan, reportedly delivered by early May, follows Trump’s February executive order directing the Treasury and Commerce departments to develop a framework for a US sovereign wealth fund within 90 days.

The order fueled speculation that the fund might be used to acquire Bitcoin on behalf of the US government.

However, at the time, Bessent and Lutnick said that the fund would indeed focus on warrants, equity, and other non-crypto investments. Still, David Sacks, Trump’s crypto czar, indicated that Bitcoin could be included in the fund’s portfolio.

That no longer appears to be the case after Trump signed a separate executive order establishing a strategic Bitcoin reserve and a digital asset stockpile on March 6, which suggests a standalone approach to crypto holdings.

There were also rumors that the fund might be financed through tariffs and other revenue sources despite ongoing budget deficits. But Lutnick later clarified that tariffs would not be used to support the sovereign wealth fund.

According to the CBS News report, White House spokesperson Kush Desai said the Treasury and Commerce Departments have developed plans in response to Trump’s directive, but no final decisions have been made.

The administration, Desai added, continues to view the initiative as part of its broader effort to safeguard national and economic security.

Details of the fund’s structure and purpose remain under discussion, with no formal announcement expected in the near term.

Sources say Trump has not yet decided how the fund’s proceeds would be used, though he has previously floated the idea of it taking a stake in TikTok, which faces a potential US ban unless ByteDance divests.

Regarding the US Strategic Bitcoin Reserve and the Digital Asset Stockpile, Bessent and Lutnick are also tasked with outlining operational guidelines, custody frameworks, and acquisition strategies. These plans are expected to remain separate from the sovereign wealth fund initiative and are designed to be budget-neutral.

Share this article

?xml>?xml>?xml>
Read More

Continue Reading
Internet Security

Crypto Security Breach at Lido DAO Triggers Governance Response

TLDR Lido DAO started an emergency vote to rotate a compromised Chorus One oracle The exploit drained ETH balance and likely resulted from a hot wallet private key leak The issue is restricted to one oracle and is not system-wide Cybersecurity remains a critical issue for cryptocurrency and DeFi Over $2 billion in crypto was

Published 15 hours ago in
Crypto Security Breach at Lido DAO Triggers Governance Response

TLDR Lido DAO started an emergency vote to rotate a compromised Chorus One oracle The exploit drained ETH balance and likely resulted from a hot wallet private key leak The issue is restricted to one oracle and is not system-wide Cybersecurity remains a critical issue for cryptocurrency and DeFi Over $2 billion in crypto was […]
The post Crypto Security Breach at Lido DAO Triggers Governance Response appeared first on Blockonomi…
Read More

Continue Reading
Internet Security

CZ Shares Security Warning After Ledger Discord Hack Exposes User Data

Changpeng Zhao (CZ), founder and former CEO of Binance, shared a security warning after receiving a message regarding a hack of Ledger’s Discord admin account, where a scammer falsely claimed a security flaw and urged users to enter their recovery phrases on a phishing site. Zhao highlighted two critical lessons: the necessity of never sharing

Published 15 hours ago in
CZ Shares Security Warning After Ledger Discord Hack Exposes User Data

Changpeng Zhao (CZ), founder and former CEO of Binance, shared a security warning after receiving a message regarding a hack of Ledger’s Discord admin account, where a scammer falsely claimed a security flaw and urged users to enter their recovery phrases on a phishing site. Zhao highlighted two critical lessons: the necessity of never sharing [……
Read More

Continue Reading