ZDNet UK / News and Analysis / Workspace IT / Processors

Vendors 'slow to fix' hyperthreading flaw

By Renai LeMay, ZDNet Australia, 27 May, 2005 09:30

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Flaw, Security, Hyperthreading, Risk, Small business, Windows, SME, Linux, Red Hat, Intel, Novell, Microsoft, Ubuntu

NEWS

Operating system vendors were given two months notice before a serious security flaw was made public but some have yet to resolve the issue, a security researcher has claimed.

Colin Percival detailed the vulnerability — which affects versions of Intel's CPU that use a technology called hyperthreading — at a conference on 13 May.

The vulnerability could allow hackers to steal sensitive information such as passwords on servers configured to allow multiple users to login simultaneously.

The FreeBSD security team member has received formal responses to the issue from the makers of the BSD family of open-source operating systems, as well as SCO and Ubuntu Linux. However, Linux vendors Red Hat, Novell and Mandriva as well as Microsoft have been slow to act.

"Given that I reported this problem in early March, I really think that they [Microsoft and Linux vendors] should have had a patch over a month ago — in time to test it extensively before releasing it on May 13th," Percival said.

"I made it quite clear to everyone that I would be releasing my paper on that date and that they should make sure they were ready by then," he added.

A spokesperson from Red Hat said its security team rated the issue as having "a moderate security impact", and that it was working with the creators of the OpenSSL toolkit — which is used to exploit the vulnerability — on a fix.

A Microsoft spokesperson said while the company was investigating Percival's report, it was "not aware of any active attacks using this method at this time", and would wait until completion of its investigation to take action.

"We are aware of the issue and have been working on it," a Novell spokesperson said.

Percival also took issue with Intel's reaction. The company had described the risk as "very low".

"Intel is being too simplistic," he said. "This flaw allows users on a machine to steal each others' data."

Although the problem only affects multi-user servers, these machines are widely used. "The most obvious example is shared Web servers, which constitutes the vast majority of small e-commerce sites," he said. "On these systems the flaw is very serious."

Last December, Percival alerted the BSD family to the problem and a workaround has since been posted.

Renai LeMay reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.

Related stories

Hyperthreading footprints expose Intel P4 users

Intel's platform games

Intel shortens dual-core wait

Intel accelerates virtualisation plans

Intel updates Core vPro chips with Ivy Bridge

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

itsajob

2. Bad idea. Making up patch cables loses you your commission from the cable supplier. 3. If you tidy up, other people can understand where the...

4 hours ago by itsajob on Ten IT jobs to save up for those rare lulls
Roberto_Store

Now On Sale, Unlocked iPhone 4S / Galaxy Note In Factory Box. Roberto-Techie(UK) ”Now on Sales” Smartphone, Android,Tablets,Gadget &...

8 hours ago by Roberto_Store on Samsung Galaxy S III lined up for sale
Paul Smyth

Is this classic FUD? One thing I would definitely have notice is a Mozilla threat to stop supporting GNU/Linux.

10 hours ago by Paul Smyth via Facebook on Firefox rapid release improves Fedora Linux
UnderINK

I agree with the previous commenter wholeheartedly. I couldn't say it better myself. This is very 'Big Brother'. And while I agree with protecting...

14 hours ago by UnderINK on European e-identity plan to be unveiled this month
Simon Bisson and Mary Branscombe

Nice to see that Turing's idea of a general purpose computer doing once-hardware-powered tasks in software is now universal ;-) Mary

19 hours ago by Simon Bisson and Mary Branscombe on Software with everything
Jason Burchell

seriously now. I've only bothered to read a small bit of the comments. do me and the rest of the world a favour. stop saying it does not work or...

23 hours ago by Jason Burchell via Facebook on Music industry negotiating over 24-bit downloads
Philip Charles Cohen

Read about it and weep, John Donahoe ... In addition to Visa’s V.me, there is now MasterCard’s PayPass digital wallet soon to arrive; another...

1 day ago by Philip Charles Cohen via Facebook on PayPal takes phone-based payments to the high street
apexwm

Leslie Satenstein : Where have you ever seen Mozilla even mention this? Firefox is the most popular browser in the GNU/Linux OS, so I don't see...

1 day ago by apexwm on Firefox rapid release improves Fedora Linux
songmaster

SHleG: Do you remember building a clockwork scorpion kit (I'm pretty sure I have a photo of it somewhere) — I think it was called something like...

1 day ago by songmaster on Software with everything
Chris Wortman

Good I love Yahoo! Their search engine is getting better than Google as of late. I find more of what I want on the first page, and usually within...

1 day ago by Chris Wortman via Facebook on Linux Mint 13 ramps up for KDE release
PatrickG

openhgs has made the point for Windows 8 multiple monitors without realising it! With Windows 7 you have to switch the mouse and so your focus...

1 day ago by PatrickG on Windows 8 could speed multi-monitor uptake
Leslie Satenstein

Mozilla has threatened to stop supporting Linux. I guess that UBUNTU is going with another browser. I indicated that if Mozilla stops supporting...

1 day ago by Leslie Satenstein via Facebook on Firefox rapid release improves Fedora Linux
Andy Bolstridge

Much as I abhor Microsoft's licensing practices, this is almost certainly down to purchasing IT equipment via 3rd party consultants - you get the...

1 day ago by Andy Bolstridge via Facebook on 6 million wasted licences and £1,200 PCs: welcome to government IT
Jack Schofield

@openhgs Windows users have had multiple desktops since Linus started writing Linux. They just haven't shipped as standard because not enough...

2 days ago by Jack Schofield on Windows 8 could speed multi-monitor uptake
Jack Schofield

@Phil at Cloud4 What, Microsoft gets £1,200 per PC and £1,622 per server? Gosh, I'm amazed....

2 days ago by Jack Schofield on 6 million wasted licences and £1,200 PCs: welcome to government IT
craigsc

You guys have no idea what is going on at Autonomy. Autonomy could have been a much more profitable organization. The sales operations at Autonomy...

2 days ago by craigsc on HP cuts 27,000 staff as Autonomy chief Lynch leaves
Moley

How does this impact on dual or multi booting? Seems to me to more or less prohibit this, from Windows 8 anyway. Will Grub 2 recognise Windows 8,...

2 days ago by Moley on Windows 8 start-up speed forces USB boot workaround
apexwm

I don't understand why there cannot be a slight pause during the boot process so the user can press a key. Many operating systems do this, even if...

2 days ago by apexwm on Windows 8 start-up speed forces USB boot workaround
Gavin Goodman

You can now buy the Xi3 modular computer in the UK at http://www.ocdistribution.com . This can be bought with the Tand3m software, pricing and...

2 days ago by Gavin Goodman on CES 2012: Xi3 microSERV3R
Phil at Cloud4

I agree: Mike Lynch can clearly build a business and manage strategy. I suspect the exit of Mike is more likely the end of a planned handover...

2 days ago by Phil at Cloud4 on HP cuts 27,000 staff as Autonomy chief Lynch leaves

Latest in Processors

Intel updates Core vPro chips with Ivy Bridge

AMD's Trinity processors take on Intel's Ivy Bridge

ARM arrives on servers with Calxeda's Ubuntu demo

Featured white papers

Graphene: A guide to the future from ZDNet UK

ZDNet UK

Graphene: A guide to the future from ZDNet UK

What is graphene? How is graphene made? And why isn't a graphite pencil worth thousands of pounds? Explore this strange material with ZDNet UK's guide to... Read more

Email security: A comparison of the major players

Mimecast

Email security: A comparison of the major players

This guide from Mimecast considers why email security is essential, who the major players are and their strengths and... Read more

Seven Keys to Making or Breaking Your Exchange Infrastructure

Quest Software

Seven Keys to Making or Breaking Your Exchange Infrastructure

Are you getting maximum performance out of your Exchange infrastructure? This white paper looks at seven key aspects of controlling an Exchange email... Read more

Inside ZDNet UK

Indoor navigation coming to a mobile near you soon

Indoor navigation coming to a mobile near you soon

Software with everything

Software with everything

Asus Transformer Pad TF300T

Asus Transformer Pad TF300T

How IT is ganging up on organised cybercrime

How IT is ganging up on organised cybercrime

HTC One V: First take

HTC One V: First take

SharePoint deployment: The final chapter

SharePoint deployment: The final chapter

Ten IT jobs to save up for those rare lulls

Ten IT jobs to save up for those rare lulls