Businesses Rush to Contain Fallout From Major Chip Flaws

Businesses and institutions raced to patch computer systems and braced for expected slowdowns in system performance as they--and much of Silicon Valley--tried to gauge the fallout from the disclosure this week of two, long-hidden vulnerabilities affecting chips running most of the world's computers.

The two flaws, dubbed Meltdown and Spectre by researchers that discovered them, provide opportunities for hackers to exploit tricks that many modern chips use to speed performance, and use them to steal information in the chips' memory, like passwords.

Experts say software patches to plug the holes could slow computers. In the case of one of the flaws, these experts say, full protection from the vulnerability may require swapping out most of today's generation of chip hardware for a new generation, a task that could take years to fully roll out.

"It's kind of a worst-nightmare from a security-response perspective," said Paul Kocher, an independent security researcher who was among those that discovered the vulnerabilities disclosed Wednesday. "There is going to be vulnerable hardware around for a very long time."

The U.S. Computer Emergency Readiness Team, which is part of the U.S. Department of Homeland Security, and the U.K.'s National Cyber Security Centre, an arm of Britain's intelligence agency, said it wasn't aware of hackers attacking via these vulnerabilities so far. They encouraged organizations and people to install the latest software patches.

Experts said that exploiting Spectre, the thornier of the vulnerabilities--related to design issues that had gone largely unnoticed for years--isn't a straightforward task. That could add a layer of protection from any immediate threat that hackers could use the disclosure to attack computers.

For corporate chief information officers, though, the pathway to address Meltdown and Spectre in any comprehensive manner was still unclear early Friday. Chip makers and software vendors have been pushing out information and advice in recent days about how to mitigate risks. In some cases, that includes software patches.

"At this point, there is a lot more that we don't know than we know," said Darren Dworkin, CIO of Cedars-Sinai Medical System in Los Angeles. "The fix around this is not going to be conventional."

"Very serious flaw identified, maybe unprecedented," said Chris Krebs, CIO of Fruit of the Loom, owned by Berkshire Hathaway Inc. "I'm very concerned."

Intel Corp., which dominates the market for chips that run servers and personal computers, said Thursday it had developed and was "rapidly" issuing updates, including software patches, for all types of Intel-based computer systems, including personal computers and servers, that could be vulnerable to the two flaws. It said it expected that by the end of next week, it will have issued updates for more than 90% of its processor products, five years old or less, that could be vulnerable.

It said that such patches and other fixes could affect performance, though disruptions would be "workload-dependent." It said it didn't expect the average computer user to experience significant disruptions, and any delay would lessen over time.

The Financial Services Information Sharing and Analysis Center, a group that banks and other financial-services firms use to communicate on cybersecurity issues, said it expects any fixes will involve "performance degradation" and "require more processing power for affected systems to compensate."

Microsoft Corp., Amazon.com Inc., Alphabet Inc.-owned Google, Apple Inc. and others moved to explain the nature of the bugs and what they have done to minimize the threat, including rolling out software fixes for Meltdown. But several also emphasized that customers of their products should also administer software patches of their own.

Amazon, for instance, said it had notified its web-services customers that it was patching its data centers. The company said though that customers need to patch the operating systems they are running on top of Amazon's infrastructure.

Apple weighed in late Thursday, saying all of its iPhones, iPads and Mac computers are affected, though no known exploits had hit its customers. The company said it issued updates to address the Meltdown vulnerability for its products, including the Apple TV, and that the Apple Watch wasn't at risk. A fix for its Safari web browser to defend against the Spectre flaw was expected in the coming days, Apple said.

Alibaba Group Holding Ltd.'s cloud-services business said Friday it had been working with Intel before the disclosure of the bugs and had plans to fix any vulnerabilities by Jan. 12. "Our solutions shouldn't affect clients' operations under normal circumstances," it said in a statement.

Shanghai's municipal cyber administration office warned Friday that the flaws could affect all information internet infrastructure in the city and asked companies and government offices to apply patches.

Past attacks, such as last spring's WannaCry exploit, show that user don't update devices as diligently as they should. Worries over slowed computer performance could also make people and organizations hesitant to download protective software--especially if it appears the vulnerabilities remain difficult to exploit.

For some, patching is easier than others. Apple and Microsoft are able to quickly issue security patches to affected iPhones, MacBooks and Windows computers.

Google, however, must rely on device makers to pass on its security updates to users' Android phones. Google said it has sent security updates to manufacturers, but it isn't sure how many phones have yet received the updates--or will receive them.

And patches and other software fixes may not be the definitive answer. Patches can protect against Meltdown. But it isn't clear if they can fully protect against Spectre. CERT, a federally funded cybersecurity research organization at Carnegie Mellon University, initially said on Wednesday that only new hardware could fully fix it. But on Friday, it updated its assessment, saying updates to operating systems or apps could "mitigate these attacks."

Still, experts say full protection might require design changes, which could take a year to roll out. Luckily, they experts say Spectre is a difficult attack to mount. It requires tailoring to the systems being targeted, and hackers might take awhile before figuring out how to take advantage.

"My hope is that by the time attackers learn to exploit this thing, the defense improves to the point that it's no longer a serious threat," said Werner Haas, chief technology officer of Germany-based Cyberus Technology and another of the researchers who helped uncover the vulnerabilities.

Yang Jie

in Beijing contributed to this article.

Write to Sam Schechner at sam.schechner@wsj.com, Stu Woo at Stu.Woo@wsj.com and Jay Greene at Jay.Greene@wsj.com

Businesses and institutions raced to patch computer systems and braced for expected slowdowns in system performance as they--and much of Silicon Valley--tried to gauge the fallout from the disclosure this week of two, long-hidden vulnerabilities affecting chips running most of the world's computers.

The two flaws, dubbed Meltdown and Spectre by researchers that discovered them, provide opportunities for hackers to exploit tricks that many modern chips use to speed performance, and use them to steal information in the chips' memory, like passwords.

Experts say software patches to plug the holes could slow computers. In the case of one of the flaws, these experts say, full protection from the vulnerability may require swapping out most of today's generation of chip hardware for a new generation, a task that could take years to fully roll out.

"It's kind of a worst-nightmare from a security-response perspective," said Paul Kocher, an independent security researcher who was among those that discovered the vulnerabilities disclosed Wednesday. "There is going to be vulnerable hardware around for a very long time."

The U.S. Computer Emergency Readiness Team, which is part of the U.S. Department of Homeland Security, and the U.K.'s National Cyber Security Centre, an arm of Britain's intelligence agency, said it wasn't aware of hackers attacking via these vulnerabilities so far. They encouraged organizations and people to install the latest software patches.

Experts said that exploiting Spectre, the thornier of the vulnerabilities--related to design issues that had gone largely unnoticed for years--isn't a straightforward task. That could add a layer of protection from any immediate threat that hackers could use the disclosure to attack computers.

For corporate chief information officers, though, the pathway to address Meltdown and Spectre in any comprehensive manner was still unclear early Friday. Chip makers and software vendors have been pushing out information and advice in recent days about how to mitigate risks. In some cases, that includes software patches.

"At this point, there is a lot more that we don't know than we know," said Darren Dworkin, CIO of Cedars-Sinai Medical System in Los Angeles. "The fix around this is not going to be conventional."

"Very serious flaw identified, maybe unprecedented," said Chris Krebs, CIO of Fruit of the Loom, owned by Berkshire Hathaway Inc. "I'm very concerned."

Intel Corp., which dominates the market for chips that run servers and personal computers, said Thursday it had developed and was "rapidly" issuing updates, including software patches, for all types of Intel-based computer systems, including personal computers and servers, that could be vulnerable to the two flaws. It said it expected that by the end of next week, it will have issued updates for more than 90% of its processor products, five years old or less, that could be vulnerable.

It said that such patches and other fixes could affect performance, though disruptions would be "workload-dependent." It said it didn't expect the average computer user to experience significant disruptions, and any delay would lessen over time.

The Financial Services Information Sharing and Analysis Center, a group that banks and other financial-services firms use to communicate on cybersecurity issues, said it expects any fixes will involve "performance degradation" and "require more processing power for affected systems to compensate."

Microsoft Corp., Amazon.com Inc., Alphabet Inc.-owned Google, Apple Inc. and others moved to explain the nature of the bugs and what they have done to minimize the threat, including rolling out software fixes for Meltdown. But several also emphasized that customers of their products should also administer software patches of their own.

Amazon, for instance, said it had notified its web-services customers that it was patching its data centers. The company said though that customers need to patch the operating systems they are running on top of Amazon's infrastructure.

Apple weighed in late Thursday, saying all of its iPhones, iPads and Mac computers are affected, though no known exploits had hit its customers. The company said it issued updates to address the Meltdown vulnerability for its products, including the Apple TV, and that the Apple Watch wasn't at risk. A fix for its Safari web browser to defend against the Spectre flaw was expected in the coming days, Apple said.

Alibaba Group Holding Ltd.'s cloud-services business said Friday it had been working with Intel before the disclosure of the bugs and had plans to fix any vulnerabilities by Jan. 12. "Our solutions shouldn't affect clients' operations under normal circumstances," it said in a statement.

Shanghai's municipal cyber administration office warned Friday that the flaws could affect all information internet infrastructure in the city and asked companies and government offices to apply patches.

Past attacks, such as last spring's WannaCry exploit, show that user don't update devices as diligently as they should. Worries over slowed computer performance could also make people and organizations hesitant to download protective software--especially if it appears the vulnerabilities remain difficult to exploit.

For some, patching is easier than others. Apple and Microsoft are able to quickly issue security patches to affected iPhones, MacBooks and Windows computers.

Google, however, must rely on device makers to pass on its security updates to users' Android phones. Google said it has sent security updates to manufacturers, but it isn't sure how many phones have yet received the updates--or will receive them.

And patches and other software fixes may not be the definitive answer. Patches can protect against Meltdown. But it isn't clear if they can fully protect against Spectre. CERT, a federally funded cybersecurity research organization at Carnegie Mellon University, initially said on Wednesday that only new hardware could fully fix it. But on Friday, it updated its assessment, saying updates to operating systems or apps could "mitigate these attacks."

Still, experts say full protection might require design changes, which could take a year to roll out. Luckily, they experts say Spectre is a difficult attack to mount. It requires tailoring to the systems being targeted, and hackers might take awhile before figuring out how to take advantage.

"My hope is that by the time attackers learn to exploit this thing, the defense improves to the point that it's no longer a serious threat," said Werner Haas, chief technology officer of Germany-based Cyberus Technology and another of the researchers who helped uncover the vulnerabilities.

Yang Jie

in Beijing contributed to this article.

Write to Sam Schechner at sam.schechner@wsj.com, Stu Woo at Stu.Woo@wsj.com and Jay Greene at Jay.Greene@wsj.com

(END) Dow Jones Newswires

January 05, 2018 09:17 ET (14:17 GMT)