Washington, Jan 5 (AFP) Amid a frantic rush to patch acomputer security flaw, experts struggled today to determinethe impact of a newly discovered vulnerability which couldaffect billions of devices worldwide.
Cybersecurity researchers called for computer systems tourgently install updates a day after the release of details ofthe so-called Spectre and Meltdown vulnerabilities affectingthe chips powering most modern PCs and many mobile devices.
Researchers on Wednesday published details of the flaw,which unlike many other vulnerabilities stems from the chipitself and how it safeguards private data stored on computersand networks.
The researchers at Google showed how a hacker couldexploit the flaw to get passwords, encryption codes and more,even though there have been no reports of any attacks usingthe vulnerability.
"The full extent of this class of attack is still underinvestigation and we are working with security researchers andother browser vendors to fully understand the threat andfixes," said Mozilla researcher Luke Wagner in a blog post.
The revelations "attack the foundational modern computerbuilding block capability that enforces protection of the(operating system)," said Steve Grobman, chief technologyofficer at security firm McAfee.
"Businesses and consumers should update operating systemsand apply patches as soon as they become available."Computer chipmaking giant Intel -- the focus of the firstreports on the flaw -- said the company and its partners "havemade significant progress in deploying updates" to mitigateany threats.
"Intel expects to have issued updates for more than 90percent of processor products introduced within the past fiveyears," an Intel statement said.
"In addition, many operating system vendors, public cloudservice providers, device manufacturers and others haveindicated that they have already updated their products andservices."But John Bambenek, a Fidelis security researcher whoworks with the SANS Internet Storm Center, warned that it maybe too soon to know the extent of the problem.
"This bug is probably worth its name and logo consideringthe pervasive nature of the vulnerability," Bambenek said in ablog post.
"Contrary to some initial reporting, this is NOT just anIntel bug, it affects AMD and ARM processors as well. Thesecould even be used in cloud... environments to leak memoryoutside the running virtual machine."In a web page dedicated to the vulnerability, securityresearchers said Meltdown and Spectre may "get hold of secretsstored in the memory of other running programs. This mightinclude your passwords stored in a password manager orbrowser, your personal photos, emails, instant messages andeven business-critical documents."The two flaws "work on personal computers, mobiledevices, and in the cloud," the researchers said.
"All Mac systems and iOS devices are affected, but thereare no known exploits impacting customers at this time," Applesaid in a post at an online support page.
It advised only getting apps from its online App Storewhich vets programs for safety, and said it has alreadyreleased some "mitigations" to protect against the exploit andplanned to release a defensive update for Safari on macOS andiOS in the coming days.
Some experts pointed out that the only real "fix" in somecases would be replacing the chip itself, which would be amassive issue for the computing industry.
"The good news is patches are out for almost everything,"Bambenek said.
"The bad news is, Spectre, in particular can't becompletely mitigated by patching as it seems it will require ahardware fix. The good news is that Spectre is harder toexploit."The US government's Computer Emergency Response Teaminitially indicated in a bulletin that only a hardware fixwould solve the problem, but then removed that from an update.
"Fully removing the vulnerability requires replacingvulnerable CPU (central processing unit) hardware," said thefirst bulletin. (AFP)PMS.
This is unedited, unformatted feed from the Press Trust of India wire.