Filed Under:Risk Management, Loss Control

Software giants discover massive cybersecurity vulnerability

Intel, Microsoft coping with widespread computer-chip weakness

Google researchers recently discovered that billions of processors that run computers and phones around the world could give cyber attackers unauthorized access to sensitive data. (Photo: Bloomberg)
Google researchers recently discovered that billions of processors that run computers and phones around the world could give cyber attackers unauthorized access to sensitive data. (Photo: Bloomberg)

(Bloomberg) — The world's biggest chipmakers and software companies, including Intel Corp. and Microsoft Corp., are coming to grips with a vulnerability that leaves vast numbers of computers and smartphones susceptible to hacking and performance slowdowns.

Related: 6 ways cybersecurity changed in 2017

Google researchers recently discovered that a feature, present in almost all of the billions of processors that run computers and phones around the world, could give cyberattackers unauthorized access to sensitive data — and whose remedy could drag on device performance. News of the weakness, found last year and reported Tuesday by The Register technology blog, weighed on shares of Intel, the biggest semiconductor maker, while boosting rivals including Advanced Micro Devices Inc. Intel’s silence for most of Wednesday added to investors’ unease.

Late in the day, Intel, Microsoft, Google and other tech bellwethers issued statements aimed at reassuring customers and shareholders. Intel said its chips weren't the only ones affected and predicted no material effect on its business, while Microsoft, the largest software maker, said it released a security update to protect users of devices running Intel and other chips. Google, which said the issue affects Intel, AMD and ARM Holdings Plc chips, noted that it updated most of its systems and products with protections from attack. Amazon.com Inc., whose AWS is No. 1 in cloud computing, said most of its affected servers have already been secured.

Related: 3 best practices for a layered cybersecurity program

Cyber crime's new era


Hackers for decades have exploited security holes in software — for example, by inducing careless, unsuspecting users to open attachments that unleash viruses or other malware onto a device or network. The weakness uncovered by Google, by contrast, underscores the potential damage wreaked by vulnerabilities in hardware. Complex components, such as microprocessors, can be harder to fix and take longer to design from scratch if flawed.

"It's a big one and it’s a severe one. This gives an attacker capabilities that bypass the common operating system security controls that we’ve relied on for 20 years," said Jeff Pollard, an analyst at Forrester Research. "There's big impact on both the consumer and enterprise."

Google said in a blog post that it privately informed Intel, ARM and AMD of these issues on June 1 last year to give them time to find remedies before the vulnerabilities became public. While the companies were working on fixes, the same vulnerabilities were independently discovered by a team of researchers affiliated with several academic institutions and computer security firms.

Related: 5 things to know about the NAIC's new cybersecurity model law

The 'Meltdown' at hand


In research papers made public online Wednesday, this second group of researchers identified a potential cyberattack that could exploit these vulnerabilities. Calling it "Meltdown," the researchers said that in their tests it affected Intel chips most seriously but could also be used against ARM and AMD processors.

The researchers say they discovered another potential attack they dubbed "Spectre" that would be difficult to pull off but also harder to fix. In a paper on Spectre, they said that chipmakers had long prioritized processing speed over security. "As the costs of insecurity rise, these design choices need to be revisited, and in many cases alternate implementations optimized for security will be required," the researchers said.

Related: 5 big cybersecurity lessons to learn from the Equifax data breach

Intel's stock remained under pressure even after its statement. The company’s shares were down 2.2 percent to $44.28 in early trading in New York.

"We struggle to believe that Intel won’t face some sort of financial liability," analysts at Sanford C. Bernstein wrote in a note.

Hackers for decades have exploited security holes in software. (Photo: AP Images)

Hackers for decades have exploited security holes in software. (Photo: iStock)

Global response


China’s largest cloud computing services scrambled Thursday to address the issue. Domestic industry leader Alibaba Group Holding Ltd. said it planned to update its systems from 1 a.m. on Jan. 12 to handle potential chip security issues. Rival Tencent Holdings Ltd. said it was in touch with Intel on possible fixes but wasn’t aware of any attempted attacks.

Applying the operating system upgrades designed to remedy the flaw could hamper performance, security experts said. The Register reported that slowdowns could be as much as 30 percent — something Intel said would occur only in extremely unusual circumstances. Computer slowdowns will vary based on the task being performed and for the average user "should not be significant and will be mitigated over time," Intel said, adding that it has begun providing software to help limit potential exploits.

Intel’s efforts to play down the impact resulted in a war of words with AMD. Intel said it’s working with chipmakers including AMD and ARM Holdings, as well as operating system makers to develop an industrywide approach to resolving the issue. AMD was quick to retort, saying, "there is near-zero risk" to its processors because of differences in the way they are designed and built.

Related: Sweeping cybersecurity regulations unlikely in Congress: Rep. Himes

The threat to mobile devices


The vulnerability doesn't just affect PCs. All modern microprocessors, including those that run smartphones, are built to essentially guess what functions they’re likely to be asked to run next. By queuing up possible executions in advance, they’re able to crunch data and run software much faster.

The problem in this case is that this predictive loading of instructions allows access to data that's normally cordoned off securely, Intel Vice President Stephen Smith said on a conference call. That means, in theory, that malicious code could find a way to access information that would otherwise be out of reach, such as passwords.

"The techniques used to accelerate processors are common to the industry," said Ian Batten, a computer science lecturer at the University of Birmingham in the U.K. who specializes in computer security. The fix being proposed will definitely result in slower operating times, but reports of slowdowns of 25 percent to 30 percent are "worst-case" scenarios, he said.

Intel Chief Executive Officer Brian Krzanich told CNBC that a researcher at Google made Intel aware of the issue "a couple of months ago."

"Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we're better off to get the fix in place," Krzanich said, explaining how the company responded to the issue.

Related: Get ready: A cyber attack is coming

Tech company tap dance


Google, a unit of Alphabet Inc., identified the researcher as Jann Horn. While many of its products have already been protected, some customers of Android devices, Google laptops and its cloud services still need to take steps to patch security holes, the internet giant said.

Microsoft on Wednesday released a security update for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD, the company said in a statement. Late in the day, Microsoft said the majority of Azure cloud infrastructure has been updated with the fix and most customers won't see a noticeable slowdown with the update.

"We have not received any information to indicate that these vulnerabilities had been used to attack our customers," Microsoft said. The fixes were originally planned for release on Jan. 9, but were rushed out Wednesday after the weakness was made public, according to a person familiar with the situation.

Apple Inc. didn't respond to requests for comment about how the chip issue may be affecting the company's operating systems.

Providers of computing power and services via the internet will have to upgrade software to work around the potential vulnerability, which will require additional lines of code, computing resources and energy to perform the same functions while maintaining security, said Frank Gillett, another analyst at Forrester.

"When you're running billions of servers, a 5 percent hit is huge," he said.

See also:

Uncovering silent cyber risk

Do you know these 9 hacking terms?

Related

Top 10 writers of cybersecurity insurance

Interest in cyber insurance and risk continues to grow as a result of high-profile data breaches.

Featured Video

Most Recent Videos

Video Library ››

Top Story

20 safest airlines to fly with in 2018

To recognize those leading the way, AirlineRatings.com released its annual list of the world's safest airlines. Of the 409 airlines it monitors, 20 stand out as the 'best of the best.'

Top Story

11 ways cars will be smarter in 2018

Connected vehicle technology, better electric batteries, and 'infotainment' systems are just three of the trends for insurers and claims specialists to watch.

More Resources

Comments

eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.