Meltdown: the latest news on two major CPU security bugs – The Verge

Google and Microsoft disclose new CPU flaw, and the fix can slow machines down

2018-05-21T17:28:04-04:00

Microsoft and Google are jointly disclosing a new CPU security vulnerability that's similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says "these mitigations are also applicable to variant 4 and available for consumers to use today."

However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs tha …

Read the full story at The Verge.

Intel says it won’t patch older chips for Spectre

2018-04-04T12:45:47-04:00

Intel updated its patching guidance for Spectre this week, continuing the months-long process of fixing the critical security flaw. Although the company had previously said it planned to patch all affected chips, today it clarified that some product lines won't receive updates. Most are older and, presumably, not as widely used. They include: the Bloomfield line, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, the Wolfdale line, and the Yorkfield line.

Intel says it's stopped production of these fixes for three reasons, in its words:

-Micro-architectural characteristics that preclude a practical implementation of featu …

Read the full story at The Verge.

Microsoft offers $250,000 bounty to prevent the next Meltdown and Spectre CPU flaws

2018-03-15T11:28:59-04:00

Microsoft is introducing a new bug bounty reward for the "speculative execution" CPU vulnerabilities that were disclosed recently. The software giant is offering up to $250,000 for bugs that are similar to the Meltdown and Spectre CPU flaws. Microsoft's bounty will run until the end of the year, and it's clearly designed to discover additional flaws as researchers begin to look at these types of vulnerabilities in processor designs.

"Speculative execution is truly a new class of vulnerabilities," says Phillip Misner, a security group manager at Microsoft. "We expect that research is already underway exploring new attack methods." Microsoft …

Read the full story at The Verge.

Intel processors are being redesigned to protect against Spectre

2018-03-15T10:17:15-04:00

Intel is revealing today that the company is introducing hardware protections against the Spectre CPU flaw that was discovered last year. While the Meltdown vulnerability will continue to be addressed through software updates, Intel CEO Brian Krzanich says the company has "redesigned parts of the processor to introduce new levels of protection through partitioning" that will protect against the Spectre variants. Intel's next-generation Xeon processors (Cascade Lake) will include the new partitioning, alongside 8th generation Intel Core processors that ship in the second half of 2018.

The partitioning will work as an extra protective wall be …

Read the full story at The Verge.

Microsoft is bringing Intel’s Spectre fixes to its Windows update catalog

2018-03-01T13:52:30-05:00

Microsoft is planning to distribute Intel's firmware updates to protect Windows 10 systems against the Spectre CPU vulnerability. While Microsoft typically distributes its own firmware updates for Surface devices, the software maker usually leaves it up to PC makers to issue their own firmware updates. Microsoft is now planning to list the Intel firmware updates in its Microsoft Update Catalog, which will help IT admins distribute these to systems.

Updates for Skylake systems will be available initially, and Microsoft says it will list more system firmware updates as they become available. "We will continue to work with chipset and device m …

Read the full story at The Verge.

Intel didn’t warn US government about CPU security flaws until they were public

2018-02-23T05:41:36-05:00

Intel didn't provide US government officials with details on the Meltdown and Spectre CPU flaws until they leaked to the public last month. Reuters reports that US government officials have raised concerns that the flaws weren't disclosed privately as they could have impacted national security. Intel didn't report the flaws to US authorities because hackers hadn't exploited the vulnerabilities yet. The Wall Street Journal previously reported that Intel notified a small number of customers about the flaws, including Chinese companies like Lenovo and Alibaba, before they were revealed publicly.

The approach may explain some of the confusion a …

Read the full story at The Verge.

Intel rolls out Spectre updates for 7th and 8th-gen Core chips

2018-02-21T13:45:57-05:00

Intel is attempting to patch Spectre again today with the rollout of patches for Kaby Lake-, Coffee Lake-, and Skylake-based platforms. The updates will cover the company's sixth, seventh, and eighth-generation Intel Core product lines, as well as the X-series processor family. The Xeon Scalable and Intel Xeon D processors for data center systems will also be protected. The updates will be issued through OEM firmware pushes.

Intel previously issued a patch to address Spectre, but then had to tell users to stop deploying the fix because it sometimes caused computers to spontaneously reboot. At the time, executive vice president Navin Shenoy …

Read the full story at The Verge.

Intel facing 32 lawsuits over Meltdown and Spectre CPU security flaws

2018-02-16T10:35:20-05:00

Intel has revealed today that the company is facing at least 32 lawsuits over the Meltdown and Spectre CPU flaws. "As of February 15, 2018, 30 customer class action lawsuits and two securities class action lawsuits have been filed," says Intel in an SEC filing today. The customer class action lawsuits are "seeking monetary damages and equitable relief," while the securities lawsuits "allege that Intel and certain officers violated securities laws by making statements about Intel's products and internal controls that were revealed to be false or misleading by the disclosure of the security vulnerabilities."

Intel is also facing action from t …

Read the full story at The Verge.

Microsoft issues emergency Windows update to disable Intel’s buggy Spectre fixes

2018-01-29T04:10:41-05:00

Microsoft has been forced to issue a second out-of-band security update this month, to deal with the issues around Intel's Spectre firmware updates. Intel warned last week that its own security updates have been buggy, causing some systems to spontaneously reboot. Intel then buried a warning in its latest financial results that its buggy firmware updates could lead to "data loss or corruption."

Intel has been advising PC makers and customers to simply stop updating their firmware right now, until properly tested updates are available. Microsoft has gone a step further, and is issuing a new software update for Windows 7, Windows 8.1, and Win …

Read the full story at The Verge.

New macOS patch protects older operating systems against Meltdown

2018-01-23T14:24:49-05:00

Apple has rolled out a new security update to protect older operating systems against the Meltdown bug, the most easily exploitable of the processor vulnerabilities made public earlier this year. Patches for macOS High Sierra were released on January 8th, but the patch did not apply to older versions of the operating system. Today's update brings the same protections to Sierra (version 10.12.6) and El Capitan (version 10.11.6).

It's the latest in a string of patches Apple has released in response to the industry-wide processor failures. The company also developed patches to Safari and WebKit to protect against a separate exploitation of the …

Read the full story at The Verge.