Home technology

Tech giants race to fix chip design flaw

44
0
SHARE

Please use the sharing tools found via the email icon at the top of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://www.ft.com/tour.
https://www.ft.com/content/456875fc-f0e2-11e7-b220-857e26d1aca4

Many of the world’s biggest tech companies are racing to plug an industry-wide security hole that stems from a common flaw in chip designs and could expose almost all computer users to the theft of at least some sensitive data.

The problem, described as unprecedented by experts, affects one of the most fundamental architectural elements of all computing systems, making it far more pervasive than the software flaws that are the usual source of computer security failures.

Both Intel, whose chip designs are at the heart of all PCs and many servers, and Arm Holdings, whose designs are used in almost all smartphones, said they were working to try to fix the problem.

“It’s not really one vendor’s problem. It’s a general design approach,” said Steve Smith, head of Intel’s data centre engineering group. US chipmaker AMD also said late on Wednesday that it was affected, after earlier appearing to try to distance itself from the problem.

“If Intel, AMD and ARM are impacted, we’re basically talking about anything that runs in a computing system anywhere in the world that is less than 10 years old,” said Beau Woods, a cyber safety innovation fellow at the Atlantic Council.

The flaw could make it possible for hackers to see highly sensitive information like passwords and a computer’s encryption keys, which could be used to access encrypted communications, Intel said.

Please use the sharing tools found via the email icon at the top of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://www.ft.com/tour.
https://www.ft.com/content/456875fc-f0e2-11e7-b220-857e26d1aca4

A combination of software and hardware changes will be needed to fix the problem, requiring an unusual, industry-wide effort involving many different software, chip and computer hardware makers, according to industry participants.

Microsoft rushed out a patch to the Windows operating system on Wednesday to fix one vulnerability stemming from the chip design flaw. That vulnerability, known as Meltdown, makes it possible for a program running on a computer to break into an operating system’s central memory, tapping into data it is not meant to have access to.

The Microsoft fix, along with statements by the main chip companies, were released nearly a week ahead of a co-ordinated industry-wide action, after news of the chip problem was first reported by tech news site The Register.

However, while the Meltdown vulnerability can be fixed with a software update, the chip flaw also opens other lines of attack, and security experts said it would require changes to the “firmware” shipped in hardware systems to fully protect all computer systems.

Meltdown would create a “major panic” encouraging people to update systems in the short term, said Paul Kocher, a security researcher, who was among the first to highlight the severity of the problem. But there would be a “very long struggle” to contain damage that could be done by another of the flaws, known as Spectre, he said. That vulnerability makes it possible for a program running on a chip to access data in a separate program, without any need to call on the operating system.

Intel’s shares fell by about 3.5 per cent on Wednesday after the chip design problem surfaced. Brian Krzanich, Intel’s chief executive, sold $14m worth of stock last year, or nearly half his stake in the chipmaker, months after the flaw was first disclosed. The sale left him with the minimum holding required by the company. An Intel spokesperson said the sale was “unrelated”, and had been made as part of an automated sale programme, in which executives give up some control over the timing of sales.

The chip problem was first discovered by a security researcher at Google in June last year, according to both Intel and the search company. In a blog post, Google said it had “collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web”, while also working to protect its own systems.

The biggest risk was to customers of cloud service providers, Mr Woods said. “If Bob’s Discount Warehouse is hosted on a certain provider, I could buy an account and maybe get access to Bob’s Discount Warehouse,” he said. Amazon Web Services, the largest cloud company, said on Wednesday it was close to completing an update on all its systems, though its customers would also have to patch their own operating systems to be secure.

Please use the sharing tools found via the email icon at the top of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found at https://www.ft.com/tour.
https://www.ft.com/content/456875fc-f0e2-11e7-b220-857e26d1aca4

Fixing Meltdown and Spectre has costs
The Meltdown and Spectre vulnerabilities disclosed to the public on Wednesday stem from a basic design change that was made to many computer chips around a decade ago to make them run faster. This allowed applications running on a computer to access data contained in the machine’s operating system memory before they actually needed it.

The change enabled programs to anticipate some of the work they might be required to do in advance — a process known as “speculative execution” — but has now been found to provide a route for malicious programs to see sensitive data held on the machine.

Fixing the problem will mean blocking this pre-emptive access to data and could lead to a significant slowdown in some computer programs. Intel said that the actual impact would depend on the design of software programs, and that the worst affected — those that need to make frequent calls on the operating system — could be slowed by as much as 30 per cent.

The overall impact to performance was likely to be “in the single digits”, said Patrick Moorhead, a chip analyst and former AMD executive, though it would take months before fixes could be rolled out and programs fully tested.

LEAVE A REPLY