Businesses cautious in installing patches to fix chip
flaw
Send a link to a friend
 [January 16, 2018]
By Stephen Nellis and Jim Finkle
(Reuters) - Chances that a fix to a major
microchip security flaw may slow down or crash some computer systems are
leading some businesses to hold off installing software patches, fearing
the cure may be worse than the original problem.
Researchers this week revealed security problems with chips from Intel
Corp <INTC.O> and many of its rivals, sending businesses, governments
and consumers scrambling to understand the extent of the threat and the
cost of fixes.
Rather than rushing to put on patches, a costly and time-intensive
endeavor for major systems, some businesses are testing the fix, leaving
their machines vulnerable.
"If you start applying patches across your whole fleet without doing
proper testing, you could cause systems to crash, essentially putting
all of your employees out of work," said Ben Johnson, co-founder of
cyber-security startup Obsidian.
Banks and other financial institutions spent much of the week studying
the vulnerabilities, said Greg Temm, chief information risk officer with
the Financial Services Financial Services Information Sharing and
Analysis Center, an industry group that shares data on emerging cyber
threats.
The flaws affect virtually all computers and mobile devices, but are not
considered "critical" because there is no evidence that hackers have
figured out how to exploit them, said Temm, whose group works with many
of the world's largest banks.
"It's like getting a diagnosis of high blood pressure, but not having a
cardiac arrest," Temm said. "We're taking it seriously, but it's not
something that is killing us."
Banks are testing the patches to see if they slow operations and, if so,
what changes need to be made, Temm said. For instance, computers could
be added to networks to make up for the lack of processor speed in
individual machines, he added.
Some popular antivirus software programs are incompatible with the
software updates, causing desktop and laptop computers to freeze up and
show a "blue screen of death," researcher Johnson said.
Antivirus software makers responded by rolling out fixes to make their
products compatible with the updated operating systems, he said. In a
blog posting on Friday, Microsoft Corp <MSFT.O> said it would only offer
security patches to Windows customers whose antivirus software suppliers
had confirmed with Microsoft that the patch would not crash the
customer's machine.
"If you have not been offered the security update, you may be running
incompatible antivirus software, and you should consult the software
vendor," Microsoft advised in the blog post.
Government agencies also are watching. The Ohio Attorney General's
office is monitoring the situation, a spokesman said by email.
[to top of second column] |
A man looks at the screen of his mobile phone in front of an Apple
logo outside its store in Shanghai, China on July 30, 2017.
REUTERS/Aly Song/File Photo
"Intel continues to believe that the performance impact of these updates is
highly workload-dependent and, for the average computer user, should not be
significant and will be mitigated over time," the world's No. 1 chipmaker said
on Thursday in a release.
It cited Amazon.com Inc <AMZN.O>, Apple Inc <AAPL.O>, Alphabet Inc's <GOOGL.O>
and Microsoft as saying that most users had seen no significant impact on
performance after installing the patches.
The cloud vendors are among a group of firms that quickly patched their
technology to mitigate against the threat from one of those vulnerabilities,
dubbed Meltdown, which only affects machines running Intel chips.
Major software makers have not issued patches to protect against the second
vulnerability, dubbed Spectre, which affects nearly all computer chips made in
the last decade, including those from Intel, Advanced Micro Devices Inc <AMD.O>,
and ARM-architecture manufacturers, including Qualcomm Inc <QCOM.O>.
However, Google, Firefox and Microsoft have implemented measures in most web
browsers to stop hackers from launching remote attacks using Spectre.
Governments and security experts say they have seen no cyber attacks seeking to
exploit either vulnerability, though they expect attempts by hackers as they
digest technical data about the security flaws.
One key risk is that hackers will develop code that can infect the personal
computers of people visiting malicious websites, said Chris Wysopal, chief
technology officer of cyber security firm Veracode.
He advised PC owners to install the patches to protect against such potential
attacks. Computer servers at large enterprises are less at risk, he said,
because those systems are not used to surf the web and can only be infected in a
Meltdown attack if a hacker has already breached that network.
Microsoft has issued a patch for its Windows operating system, and Apple desktop
users with the most recent operating system are protected. Google has said most
of its Chromebook laptops are already protected and that the rest would be soon.
Apple said it planned to release a patch to its Safari web browser within coming
days to protect Mac and iOS users from Spectre.
While third-party browsers from Google and others can protect Mac users from
Spectre, all major web browsers for Apple's iOS devices depend on receiving a
patch from Apple. Until then, hundreds of millions of iPhone and iPad users will
be exposed to potential Spectre attacks while browsing the Web.
(Editing by Richard Chang)
[© 2018 Thomson Reuters. All rights
reserved.] Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
