Businesses wary of rushing through on chip flaw patches

Fear that a fix to the microchip security issue may slow down or crash computers

January 06, 2018 08:04 pm | Updated 10:48 pm IST

Speed vs safety: Intel says the performance impact of these
updates is highly workload-dependent. *

Speed vs safety: Intel says the performance impact of these updates is highly workload-dependent. *

Chances that a fix to a major microchip security flaw may slow down or crash some computer systems are leading some businesses to hold off installing software patches, fearing the cure may be worse than the original problem.

Researchers revealed security problems with chips from Intel Corp. and many of its rivals, sending businesses, governments and consumers scrambling to understand the extent of the threat and the cost of fixes. Rather than rushing to put on patches, a costly and time-intensive endeavour for major systems, some businesses are testing the fix, leaving their machines vulnerable.

“If you start applying patches across your whole fleet without doing proper testing, you could cause systems to crash, essentially putting all of your employees out of work,” said Ben Johnson, co-founder of cybersecurity start-up Obsidian.

Banks and other financial institutions spent much of the week studying the vulnerabilities, said Greg Temm, chief information risk officer with the Financial Services Financial Services Information Sharing and Analysis Center, an industry group that shares data on emerging cyberthreats.

The flaws affect virtually all computers and mobile devices, but are not considered “critical” because there is no evidence that hackers have figured out how to exploit them, said Mr. Temm, whose group works with many of the world’s largest banks.

‘Diagnosis of high BP’

“It’s like getting a diagnosis of high blood pressure, but not having a cardiac arrest,” Mr. Temm said. “We’re taking it seriously, but it’s not something that is killing us.”

Banks are testing the patches to see if they slow operations and, if so, what changes need to be made, Mr. Temm said. For instance, computers could be added to networks to make up for the lack of processor speed in individual machines, he added. Some popular antivirus software programs are incompatible with the software updates, causing desktop and laptop computers to freeze up and show a “blue screen of death,” researcher Mr. Johnson said.

Antivirus software makers responded by rolling out fixes to make their products compatible with the updated operating systems, he said. In a blog posting, Microsoft Corp. said it would only offer security patches to Windows customers whose antivirus software suppliers had confirmed with Microsoft that the patch would not crash the customer’s machine.

“If you have not been offered the security update, you may be running incompatible antivirus software, and you should consult the software vendor,” Microsoft advised in the blog post.

“Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time,” the chipmaker said. It cited Amazon.com Inc., Apple Inc., Alphabet Inc.’s and Microsoft as saying that most users had seen no significant impact on performance after installing the patches. The cloud vendors are among a group of firms that quickly patched their technology to mitigate against the threat from one of those vulnerabilities, dubbed Meltdown, which only affects machines running Intel chips.

Major software makers have not issued patches to protect against the second vulnerability, dubbed Spectre, which affects nearly all computer chips made in the last decade, including those from Intel, Advanced Micro Devices Inc., and ARM-architecture manufacturers, including Qualcomm Inc. However, Google, Firefox and Microsoft have implemented measures in most web browsers to stop hackers from launching remote attacks using Spectre.

Governments and security experts say they have seen no cyberattacks seeking to exploit either vulnerability, though they expect attempts by hackers as they digest technical data about the security flaws. One key risk is that hackers will develop code that can infect the personal computers of people visiting malicious websites, said Chris Wysopal, chief technology officer of cybersecurity firm Veracode.

He advised PC owners to install the patches to protect against such potential attacks. Computer servers at large enterprises are less at risk, he said, because those systems are not used to surf the web and can only be infected in a Meltdown attack if a hacker has already breached that network.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.