Security flaws reside in Intel processors
User data might be compromised; released patches could slow down performance in older computers.
Google early in January discovered nearly every Intel processor could be vulnerable to a security breach.
Engineers from Google, along with researchers from the Graz University of Technology in Austria and the Germany-based private tech company Cyberus Technology, discovered two primary security flaws inherent in nearly every Intel central processing unit built since 1995.
The two flaws, dubbed Meltdown and Spectre, were discovered separately but operate on the same principle, as they can be exploited to trick the processor into leaking user data.
Meltdown is a hardware vulnerability affecting laptops, desktop computers and internet servers using Intel x86 microprocessors. Spectre is a bug affecting smartphones, tablets and computer chips from several vendors, including Intel, Advanced Micro Devices Inc. and ARM. Spectre lets hackers manipulate applications into leaking sensitive information.
Both flaws are inherent in Intel CPUs.
“The processors are working as designed, the problem is (Intel) realized a bad guy can take advantage of that,” said Richard Maloley, security consultant for Grand Rapids-based Open System Technologies (OST).
Maloley said he sees two major threats to businesses and individual users, one involving a breach in cloud storage.
“Anybody who uses cloud services is immediately at risk if you’re storing on Azure, Google Storage, AWS,” he said. “They already installed security patches, but there are countless other cloud providers a company might be doing business with that have not been patched.”
The other threat, he said, could come from vulnerable applications on web browsers.
“Say I’m a hacker (and) I have a compromised advertisement or ad service on a website. I put in my malicious code. John Doe visits that site. I can steal his data,” Maloley said.
Currently, Google Chrome, Microsoft Internet Explorer and Mozilla Firefox are receiving security patches.
According to information released by Worksighted, a tech firm in Holland, these flaws have been inherent in processors for about 20 years but only recently have been discovered.
Matt Maines, chief technology evangelist at Worksighted, warned the sensationalism surrounding the new discoveries has compelled larger tech companies to release patches before they have been quality controlled. Microsoft was quick to release a patch to remedy the breach, but Maines said the patch ended up slowing processor performance.
“The bigger companies have so much pressure to get something out, and they’ve already made the mistake of putting something out before it’s ready,” Maines said.
Maines said newer processors could experience minimal performance degradation — about 5 percent — because of the Microsoft patch, but older machines — made in or before 2015 — may experience slowdowns up to 30 percent.
“What might have taken 30 seconds now takes two minutes,” he said. “From a business perspective, typically they have an older computer fleet. They’re slow to adopt — it hurts the performance that employees have.”
Maines said the patch also has affected performance of antivirus software.
“It’s acting almost like a malware to detect malware. … Even to apply the patch, the antivirus has to meet a certain standard.”
Worksighted has been communicating with customers and keeping them informed about the security threat, but the company has not yet released any patches. Maines said the company is testing its patches to ensure they don’t compromise performance, which he implied has created more problems than the initial security breach.
“We’re very calculated, and we test our patches because you don’t want to walk in Monday morning and figure out everything’s slow now. … Our team has done a good job of checking the cannon before we fire it,” he said.
Maloley, however, recommended users install any security patches provided by their system vendors. Currently, there’s no evidence hackers or malicious programs are utilizing these security breaches, but in many cases, users’ data could be compromised without them knowing.
Other measures users can take to protect their data are using strong, complex passwords and making sure their web browsers are always updated.
SalesPad, a Grand Rapids company that offers cloud-based inventory management software, thought its performance would be slowed by the new patches, but their configuration prevented any significant degradation.
“When they announced the patches and the reboots, we thought it was going to take some of our systems down,” said Louis Nowlan, director of development at SalesPad. “Our systems are set up with a load balancer, so it didn’t slow it down.”
The company patched its Microsoft processors early in January and also was informed some of its Azure services were going to receive a patch. Nowlan said most of their computers are no older than three years.
“We’re in the process of patching our internal systems, which is mostly Dell computers,” he added. “Dell has been really good about releasing patches.”
Nowlan also confirmed businesses that have older technology could be compromised by the most recent patch and may have to wait longer to receive a better one.
“If you’re a customer that has an older system, you might wait until March or April for a patch. A lot of our customers do run older hardware, so I’m not sure how they’re going to handle that.”