'Critical' security flaws found in CPUs: SingCERT

'Critical' security flaws found in CPUs: SingCERT

SINGAPORE: Two "critical vulnerabilities" dubbed Meltdown and Spectre affecting desktop computers, smartphones, tablets and cloud services have been found, said the Singapore Computer Emergency Response Team (SingCERT) on Thursday (Jan 4). 

"The vulnerabilities enable attackers to steal any data processed by the computer," it said in an advisory. 

"Meltdown allows attackers to bypass the security boundaries between user applications and the operating system, which enables them to access information from the operating system memory, including sensitive data from other programmes," said SingCERT, adding that so far, only Intel processors are affected by it. 

"Spectre affects Intel, AMD and ARM processors and allows attackers to trick applications into leaking its data," SingCERT added. 

The team said a "successful exploit on vulnerable CPUs could allow attackers to read and access confidential information" including passwords. 

It recommended updating firmware and said vendors such as Intel and Microsoft have pushed out patches to fix the vulnerabilities. SingCERT also recommended that users monitor their respective vendors' websites for the release of security patches and to update to them as soon as possible. 


Intel said on Wednesday it was "aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices". 

However, it added that "these exploits do not have the potential to corrupt, modify or delete data". It also denied that the bug or flaw were unique to Intel products. 

"Based on the analysis to date, many types of computing devices - with many different vendors' processors and operating systems - are susceptible to these exploits," said Intel on its website. 

Intel said it was working with other technology companies including AMD, ARM and several operating system vendors to "develop an industry-wide approach to resolve this issue promptly and constructively". 

"Contrary to some reports, any performance impacts are workload-dependent and, for the average computer user, should not be significant and will be mitigated over time," it added. 

Intel also said that it had, along with other vendors, planned to disclose the issue next week when more software and firmware updates are available, but decided to release a statement early due to "inaccurate media reports". 


Mr Bryce Boland, Asia Pacific chief technology officer at cybersecurity company FireEye, described such vulnerabilities as "extremely problematic".

"Resolving this issue will take time and incur costs," he said. "In many cases, this cost includes security risks, rectification effort and even computing performance." 

According to Mr Boland, such vulnerabilities can have big implications. "Many services can be exposed and affected. Hardware vendors will address the underlying design issue, though vulnerable systems will likely remain in operation for decades. 

"In the meantime, software vendors are releasing patches to prevent attackers from exploiting these vulnerabilities. This will also impact system performance which may have a cumulative effect in data centers for anyone using cloud services and the Internet."

Source: CNA/hs