According to web application penetration testing specialists, Google announced the launch of a Chrome OS update that includes a series of fixes for the MDS vulnerabilities that, if exploited, could allow a malicious hacker access privileged parts of the memory. The bad news for Chrome users is that Hyper-Threading technology will be disabled by default.
Intel’s Hyper-Threading technology is the
method by which some processors double the number of CPU cores, allowing the
CPU to optimize data processing time; in other words, a dual-core Intel CPU can
work as if it had four, a four-core CPU will be working with eight, etc.
Basically, Hyper-Threading technology will give
a computer more processing power, increasing the equipment’s battery
consumption. The user may not notice that Hyper-Threading is disabled while
browsing in social media pages, but if you are using editing programs or
something like that, the change will be noticeable, commented the web
application penetration testing specialists.
MDS vulnerabilities could allow a threat actor
to access a user’s activity log using an exploit to search for data in the CPU
cache. Although there have been no exploitations in the wild, this possibility
worries the cybersecurity community.
The need to disable Hyper-Threading is because
these flaws are found on the CPU hardware, not the software; this security
measure changes the way the processor manages the job, so the CPU cache cannot
be read by an external component.
According to web application penetration
testing specialists, a script on a malicious website or in an Android app could
attempt to exploit these vulnerabilities to access confidential information of
the victim stored in the Chrome keystore. Google mentions that this is a first
stage of risk mitigation, adding that more security patches will be released in
the future.
Experts from the International Institute of
Cyber Security (IICS) MDS vulnerabilities currently do not affect Chromebook
users, and the company is expected to find a better alternative to simply
disabling a function that powers CPU usage. These vulnerabilities are similar
to the well-known Spectre
and Meltdown flaws, which Google was able to correct just with software
updates.
