According to web application penetration testing specialists, Google announced the launch of a Chrome OS update that includes a series of fixes for the MDS vulnerabilities that, if exploited, could allow a malicious hacker access privileged parts of the memory. The bad news for Chrome users is that Hyper-Threading technology will be disabled by default.
Intel’s Hyper-Threading technology is the method by which some processors double the number of CPU cores, allowing the CPU to optimize data processing time; in other words, a dual-core Intel CPU can work as if it had four, a four-core CPU will be working with eight, etc.
Basically, Hyper-Threading technology will give a computer more processing power, increasing the equipment’s battery consumption. The user may not notice that Hyper-Threading is disabled while browsing in social media pages, but if you are using editing programs or something like that, the change will be noticeable, commented the web application penetration testing specialists.
MDS vulnerabilities could allow a threat actor to access a user’s activity log using an exploit to search for data in the CPU cache. Although there have been no exploitations in the wild, this possibility worries the cybersecurity community.
The need to disable Hyper-Threading is because these flaws are found on the CPU hardware, not the software; this security measure changes the way the processor manages the job, so the CPU cache cannot be read by an external component.
According to web application penetration testing specialists, a script on a malicious website or in an Android app could attempt to exploit these vulnerabilities to access confidential information of the victim stored in the Chrome keystore. Google mentions that this is a first stage of risk mitigation, adding that more security patches will be released in the future.
Experts from the International Institute of Cyber Security (IICS) MDS vulnerabilities currently do not affect Chromebook users, and the company is expected to find a better alternative to simply disabling a function that powers CPU usage. These vulnerabilities are similar to the well-known Spectre and Meltdown flaws, which Google was able to correct just with software updates.