What happened

On January 3, 2018, experts told about the vulnerability in Intel processors released in the last 20 years. An error in the design of the chips may allow attackers to gain access to the protected part of the kernel's memory and the logins, passwords and other files stored there.

To intercept this data, criminals just need to run the JavaScript code through the user's web browser.

How it works

Vulnerability reveals two types of attacks: Meltdown ("Crash") and Specter ("Ghost"). Meltdown - a problem that primarily threatens the cloud services, said The New York Times. This vulnerability allows to break the barrier between applications and internal OS memory, that is, to receive data stored in the system memory.

For example, one application is able to see in real time through the internal memory of the system what data (including passwords) are entered through another application.

Vulnerability Specter, according to experts, is a problem that experts will correct "for many decades." Among other things, it allows conventional applications to extract data from other applications running on the same system.

This bug is more complex for attackers, but it's also harder to fix, experts say.

Who is vulnerable to attack

About the problems with security announced the manufacturer of Intel chips, the company also said that there are similar problems with other manufacturers. In the statements of Intel and Microsoft mentioned vulnerabilities in the chips of AMD and ARM, but in AMD their involvement in the problem is denied.

How manufacturers solve the problem

To protect users, companies release patches that separate kernels from user processes, transfer them to a separate address space. The problem with this solution is that it degrades the performance of computers, according to general estimates, by 5-30%.

In this case, ordinary users may not notice the changes: patch tests for Intel showed that, for example, when running games on Linux, the performance of devices is almost not affected.

Microsoft has already released an emergency update to Windows, Apple partially closed the vulnerability in the update for macOS on December 6. The Linux kernel update also came out in December.

Google will release updates to protect smartphones Nexus 5X, Nexus 6P, Pixel C, Pixel / XL, and Pixel 2 / XL in January, they will be downloaded to the devices automatically. The company also made some updates to the Chrome browser, the vulnerability will be completely closed in the version of Chrome 64.

Some cloud services, including DigitalOcean, Microsoft, Google and AWS, also talked about the work on the fixes.

What to do

Companies commenting on the situation advise users to install updates and promise that customers will not notice a decrease in the performance of their devices.

According to Bloomberg, experts have not yet managed to fix any attacks related to Meltdown and Specter.

vc.ru