Google has great news about fixing the Meltdown and Spectre chip flaws

Google has great news about fixing the Meltdown and Spectre chip flaws

Google has great news about fixing the Meltdown and Spectre chip flaws

News of the major security flaw in Intel processors broke two days ago, and since then we've learned that Apple has already patched its Intel based Macs with a previous update.

If this wasn't enough proof that Apple devices are safe from the flaw, take a look at this tweet from software developer Alex Ionescu, who says his studies of macOS code show Apple introduced a fix for the CPU flaw in the release of macOS 10.13.2, and there are additional tweaks set to be introduced in macOS 10.13.3, which is now in beta testing.

Both flaws exploit a specific processor performance feature called speculative execution, but do so in slightly different ways.

Intel and ARM insisted that the issue was not a design flaw, but it will require users to download a patch and update their operating system to fix. Spectre focuses on tricking other applications into accessing locations within their memory.

"Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary", the 16-page research paper on Spectre stated.

"Deep down, it is a hardware flaw that exists in modern processors with an ARM structure".

To counter it, Google developed a binary modification technique called Retpoline that protects against the second variant (named Spectre) of the attack.

AMD said there is "near zero risk" to its own processors, either because its chips are designed differently, or security fixes for Microsoft Windows and other operating systems will take care of the problem. Hope is growing amongst security researchers for a software fix that removes the threat altogether.

Google is also working to provide new protections in its Chrome browser to help protect against Meltdown and Spectre. To turn it on, type chrome://flags/#enable-site-per-process into your Chrome browser bar and select the box next to "Strict site isolation". This general goal technique is already live on the "entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform".

While the Meltdown and Spectre issues are unsafe, there are now patches available to help mitigate the risks of both flaws. Meltdown has been addressed with software patches issued by Microsoft and Apple, as well as several browser manufacturers. If you don't have automatic updates turned on, go to Windows Settings to manually update.

The vulnerabilities also affect the cloud systems of Amazon, Google and Apple. Although Linux does have mitigations in place, Linux creator Linus Torvalds is among those who aren't entirely convinced that software will fix all the issues. While more lawsuits are expected, Intel's biggest customers are likely to quietly seek compensation for any harm caused by the vulnerabilities, including costs to patch machines or replace microprocessors, Johnson said.

"I think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed", Torvalds wrote in a mailing list message.

Latest News