Tuesday, January 9, 2018
Update your iPhone, iPad and Mac NOW! Apple issues update to protect users from 'Spectre' chip flaw
Apple has released an updated version of its operating system software to fix a major microchip security flaw that affected nearly all computer chips made in the last decade.
Last week, Alphabet Inc's Google and other security researchers disclosed two major chip flaws, one called Meltdown affecting only Intel Corp chips and one called Spectre, that left computing devices vulnerable to hackers.
'iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre,' the firm said.
The technology giant also released software updates for its Mac, Apple TV and Apple Watch.
The iPhone maker had said on Thursday it will release a patch for the Safari web browser on its iPhones, iPads and Macs.
Apple had also said that there were no known instances of hackers taking advantage of the flaw.
'For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,' the company said on its website.
The iOS update is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation, it said.
HOW TO UPDATE ALL OF YOUR APPLE DEVICES
The latest updates, 11.2.2 for iOS and 10.13.2 for macOS High Sierra, are available now for iPhones, iPads, and Macs to protect users.
To make sure you are protected, download the latest updates on your device.
On iOS, go to Settings, General then Software Update, then tap Download and Install.
On MacOS, open the App Store and click Updates in the App Store toolbar, then use the Update buttons to download and install any updates listed.
On Apple TV, go to Settings, System, then Software Updates. Select Update Software, then select Download and Install. After the update downloads, your Apple TV will restart and prepare the update.
Macs, iPhones, iPads and Apple TV were all hit by the Meltdown and Spectre vulnerabilities.
Apple says it has already put measures in place to help protect its customers and more will be released in the coming days.
Measures released in iOS 11.2, macOS 10.13.2, and tvOS 11.2 will to help defend against Meltdown.
Apple Watch is not affected by the issue.
Every iPhone, iPad and Mac device could be at risk of being hacked, it had previosuly warned.
Apple confirmed last week that almost all of its devices are affected by Intel and Arm chip 'design flaws' that could expose billions of people's personal data to cyber criminals.
The flaws leave the devices open to the devastating 'Meltdown' and 'Spectre' bugs, discovered by security researchers.
The tech company has warned its customers to only download software for its platforms from trusted sources, like the App Store.
Apple says it has already put measures in place to help protect its customers from Meltdown and more will be released in the coming days.
The firm today released further measures for its Safari web browser to help defend against Spectre.
Browser makers Google, Microsoft Corp and Mozilla Corp's Firefox all confirmed to Reuters that the patches they currently have in place do not protect iOS users.
With Safari and virtually all other popular browsers not patched, hundreds of millions of iPhone and iPad users may have no secure means of browsing the web until Apple issues its patch.
Apple stressed that there were no known instances of hackers taking advantage of the flaw to date.
In a written statement last week, Apple said: 'All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.
'Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.
'We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.'
Tech firms have been aware of the bugs since last year, with chip manufacturer Intel informed in June 2017, but the finds have only just gone public.
Apple remained silent for more than a day about the fate of the hundreds of millions of users of its products.
Ben Johnson, co-founder and chief strategist for cyber security firm Carbon Black, said the delay in updating customers about whether Apple's devices are at risk could affect Apple's drive to get more business customers to adopt its hardware.
Speaking to Reuters, he said: 'Something this severe gets the attention of all the employees and executives at a company, and when they go asking the IT and security people about it and security doesn't have an answer for iPhones and iPads, it just doesn't give a whole lot of confidence.'
Measures released in iOS 11.2, macOS 10.13.2, and tvOS 11.2 will to help defend against Meltdown, according to Apple.
Apple Watch is not affected by the issue.
Benchmark tests taken in December showed that the updates had no effect on performance, a spokesman for Cupertino-based company said.
These are expected to cause system slowdowns of around 2.5 per cent.
Security researchers at Google's Project Zero computer security analysis team, in conjunction with academic and industry researchers from several countries, exposed the two flaws this week.
Meltdown, which is specific to Intel chips, lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory.
It was first discovered by Project Zero in June last year, when expert Jann Horn found that passwords, encryption keys, and sensitive information open in applications that should have been protected could be accessed.
A second bug, called Spectre, affects chips from Intel, AMD and Arm.
This lets hackers potentially trick otherwise error-free applications into giving up secret information.
Project Zero disclosed the Meltdown vulnerability not long after Intel said it's working to patch it.
Intel says the average computer user won't experience significant slowdowns as it's fixed.
MELTDOWN AND SPECTRE: WHAT YOU NEED TO KNOW
Researchers from Google, academia and cybersecurity firms discovered two flaws in computer chips that affect nearly all modern computers:
Meltdown
This is a flaw that affects laptops, desktop computers and internet servers with Intel chips.
It lets hackers bypass the hardware barrier between applications run by users and the computer's kernel memory.
This has the potential to let hackers access the content of this portion of a computer's memory.
This would enable them to steal data, such as passwords saved in web browsers.
Spectre
This bug affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.
'Spectre' affects chips in smartphones and tablets, as well as computer chips from Intel and Advanced Micro Devices Inc.
Hackers can trick apps into leaking sensitive information.
Spectre is a broader bug that applies to nearly all computing devices.
It is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, experts say.
Tech companies typically withhold details about security problems until fixes are available, so that hackers don't have a roadmap to exploit the flaws.
Both Intel and Google said they were planning to disclose the issue next week, when fixes will be available.
But Intel was forced to come clean about the problem yesterday after news of the flaw became public.
In an interview with CNBC yesterday, Intel CEO Brian Krzanich said: 'We've found no instances of anybody actually executing this exploit.
'Phones, PCs, everything are going to have some impact, but it´ll vary from product to product.'
However, clips on social media claim to show computer security experts using the exploit.
Michael Schwarz, who has a PhD in information security, posted on Twitter 'Using #Meltdown to steal passwords in real time', along with a GIF animation of the procedure.
Researchers say Apple and Microsoft have patches ready for users for desktop computers affected by Meltdown.
Microsoft declined to comment and Apple did not immediately return requests for comment.
Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it 'probably one of the worst CPU bugs ever found' in an interview with Reuters.
Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches.
HOW TO PROTECT YOURSELF
Intel - Chips from the past five years have been patched, more to come
The chip manufacturer says it has already issued updates for the majority of processor products introduced within the past five years.
By the end of next week, Intel expects to have issued updates for more than 90 per cent of processor products introduced within the past five years.
The firm is yet to announce a timetable for patching Intel processors more than five years old.
Reports have suggested that up to 15 years of Intel processors may be affected.
Google - Patch available today
On January 5, Google is issuing a security update to protect Android phones.
Google-branded phones should automatically download the update and you need to just install it. With Pixel and Pixel 2 the update will automatically install too.
Some Android phone manufacturers are slow to patch, so you should contact them to make sure they update it as soon as possible.
The patch for Chrome will be installed on January 23 and some Chromebooks had a mitigation in its OS 63, released in December, write Wired.
If don't want to wait until then an experimental feature from Google called Site Isolation can help in the meantime. This feature makes it harder for malicious websites to access data from other websites you are looking at, writes Cnet.
To use this feature on Windows, Mac, Linux, Chrome OS or Android copy and paste chrome://flags/#enable-site-per-process into the URL in Chrome. Click 'Strict Site Isolation' and then press 'Enable'.
Save your work and then press 'Relaunch now'.
A few Chromebooks are not expected to get the patch because they are too old. Here is a full list (look for 'no' in the right-hand column).
According to Google no other products are affected by these vulnerabilities.
Microsoft - Windows 10 patch available, older versions to come
There is already a patch available for Windows 10 which will automatically be applied.
For older operating systems a patch will be available next week. According to the company, Azure infrastructure is updated.
Linux - Patch available
The system has a patch.
Reports suggest it can slow down Linux-based systems by as much as 17 per cent. Users can opt out if they do not want it.
Amazon - Cloud services patched
The company says its web services have been updated.
Major cloud services aimed at business customers, including Amazon Web Services, Google Cloud Platform and Microsoft Azure, say they have already patched most of their services
Consumers should check with their device maker and operating system provider for security updates and install them as soon as possible.
Intel denied that the patches would bog down computers based on Intel chips.
'Intel has begun providing software and firmware updates to mitigate these exploits,' the Santa Clara, California, Company said in a statement.
'Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.'
ARM spokesman Phil Hughes said that patches had already been shared with the companies' partners, which include many smartphone manufacturers.
'This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory,' Mr Hughes said in an email.
AMD chips are also affected by at least one variant of a set of security flaws but that it can be patched with a software update.
The company said it believes there 'is near zero risk to AMD products at this time.'
Google said in a blog post that Android phones running the latest security updates are protected, as are its own Nexus and Pixel phones with the latest security updates.
Gmail users do not need to take any additional action to protect themselves, but users of its Chromebooks, Chrome web browser and many of its Google Cloud services will need to install updates.
Amazon Web Services, a cloud computing service used by businesses, said that most of its internet servers were already patched and the rest were in the process of being patched.
INDUSTRY'S BIGGEST PLAYERS
Intel, AMD and Arm are three of the biggest names in the world of computer processors.
Intel
Intel, the world's leading semiconductor manufacturer, started life producing memory chips, including the first metal oxide semiconductor in 1969.
The firm's introduction of the Pentium microprocessor in 1993 helped usher in a personal computer revolution during that decade.
Major companies, including Dell and HP, were early adopters of Intel's chips in their PCs.
Today, most laptop and desktops in the world are powered by an Intel CPU, including rival Apple Macs, which dropped its proprietary chips in favour of the industry leader's in 2005.
AMD
Advanced Micro Devices, better known as AMD, is Intel's only significant rival in the PC processor marketplace.
Alongside Nvidia, it is also one of two dominant players in the manufacture of graphics processing units, used in PC video gaming.
Both Microsoft and Sony chose AMD processors over Intel's to power their latest consoles, the Xbox One and PS4.
AMD processors are also the preferred choice for many custom and home built PCs, particularly among the gaming community.
Arm
Arm processors have conquered the world of smart devices, thanks to their stripped back design.
British company Arm Holdings develops the design of the chips, which is then licensed to other firms.
Processors that use the company's RISC architecture require fewer transistors than larger personal computer chips.
This makes them cheaper, use less power and give off less heat, making them ideal in smaller, more portable gadgets.
This ranges from smartphones to internet connected baby monitors.
The defect affects the so-called kernel memory on Intel x86 processor chips manufactured over the past decade, The Register reported citing unnamed programmers, allowing users of normal applications to discern the layout or content of protected areas on the chips.
That could make it possible for hackers to exploit other security bugs or, worse, expose secure information such as passwords, thus compromising individual computers or even entire server networks.
Dan Guido, chief executive of cyber security consulting firm Trail of Bits, said that businesses should quickly move to update vulnerable systems, saying he expects hackers to quickly develop code they can use to launch attacks that exploit the vulnerabilities.
'Exploits for these bugs will be added to hacker´s standard toolkits,' Mr Guido said.
Shares in Intel were down by 3.4 per cent following the report but nudged back up 1.2 percent to $44.70 (£33) in after-hours trading.
Shares in AMD were up one per cent to $11.77 (£8.70), shedding many of the gains they had made earlier in the day when reports suggested its chips were not affected.
It was not immediately clear whether Intel would face any significant financial liability arising from the reported flaw.
'The current Intel problem, if true, would likely not require CPU replacement in our opinion. However the situation is fluid,' Hans Mosesmann of Rosenblatt Securities in New York said in a note, adding it could hurt the company's reputation.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment