CPU design flaw may impact older system in India: Experts

Experts believe versions older than Windows 10 and Android 7.0 might not be promptly updated given that traditionally consumers tend to cut corners when it comes to upgrading their systems

Indian consumers who use older personal computers or smartphones are vulnerable to a design flaw discovered 

in Intel chips, despite efforts by technology giants to issue software patches to fix the defect.

Analysts are concerned that these patches may only reach more recent products that are covered by service agreements. Since Indian consumers tend to go in for slightly older products to save on costs, many users may fall out of the realm of service.

“Consumers using the latest software are likely to benefit more from these software updates. Newer PC versions are likely to be promptly updated. Smartphones, again, will be a very tricky business because updates have to be enabled by users and they need to have the bandwidth to download the same,” said N Shah, research director, Counterpoint Research. 

Devices manufactured in the past decade would most certainly be affected by the industry-wide design flaw, he added. Retail and financial sectors should take special care to update their systems, he noted. Versions older than Windows 10 and Android 7.0 might not be promptly updated given that traditionally consumers tend to cut corners when it comes to upgrading their systems. 

Smartphone updates are usually issued at a firmware level by their manufacturers. So to ensure that a hardware bug is fixed effectively Android software updates may need more than one iteration. Data centres are less likely to be affected by these concerns as these function in more controlled environments. Another area of concern would be enterprise users like retail chains and financial clients, which usually took some time to patch systems in bulk, he added. 

Apple said while the vulnerability was extremely difficult to exploit, even through dubious apps, it could potentially be effected through JavaScript on a web browser. “Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5 per cent on the JetStream benchmark,” said the company in a note.

The defect identified by a Google security engineer has created nervousness across technology companies globally. “An unauthorised party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications running on these CPUs. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host,” said Matt Linton, senior security engineer, on a Google blog post yesterday.

The kernel-level bugs have been nicknamed Meltdown and Spectre. While the first one is specific to desktop devices, the latter targets a wider selection of devices, including smartphones. Spectre affects chips from Intel, AMD and the Softbank-led ARM. A Symantec adviser said,“Patches have already been released for Windows, macOS, and Linux to patch Meltdown. Spectre is reportedly more difficult to patch, but also more difficult to exploit.”  However, the software updates may affect device performance, say experts.  These vulnerabilities affect many CPUs, including those from AMD, ARM and Intel, as well as the devices and operating systems running on them. Google has issued a statement ensuring users that all G-suite applications and the Google cloud platform have been updated to prevent “all known attack vectors”. 

Apple has confirmed that all its devices are affected by the vulnerability and has released patches. Apple’s smartwatches have not been affected by Meltdown.