A newly discovered flaw in the central processing units (CPUs) of computers, mobile devices, and cloud computing devices puts users at risk of hacking — regardless of their software or operating system (OS). And the flaw affects virtually every computer, mobile device, and cloud computing device created in the last 20 years.
Just over a week ago, several security professionals, including Google’s Project Zero, a few universities, and private security firms, found the flaw and two possible lines of attack that hackers can pursue based on this flaw. Project Zero named the attacks “Meltdown” and “Spectre.” The hardware bug is part of Intel CPUs, and apparently was also found on AMD and ARM processors as well. The bug allows processes to delve into and access memory in the computer’s kernel, the deepest and most privileged area of a machine. This spells disaster, as the exploit can spy on data and other processes, effectively escaping any type of security “sandbox.” The worst part? It affects computers as well as smartphones and other devices, regardless of operating systems.
A very basic principle of software and computer security is “sandboxing” and application permissions. Basically, programs and code are isolated, or put in a virtual “sandbox” to play by themselves and only with the toys they are assigned. This prevents these programs from reaching into the proverbial cookie jar, because the cookie jar is hidden from them (for good reason). Isolation prevents applications from accessing things that would compromise security of the device, such as core OS components, root privileges, or even personal files and folders that have nothing to do with the application in question. This practice, which one can see on their mobile phone’s “permissions,” for example, is ubiquitous, thankfully. However, a serious flaw enables hackers to completely work around this security practice. The scary part is that while kernel developers are working on pushing out patches to fix the problem, those patches are slow in coming because the flaw is in the Core Processing Unit (CPU), the “brain” of literally millions of devices. The patches are a type of computer “brain surgery,” and it takes time to do it correctly.
No comments:
Post a Comment