What You Need to Know About The Intel Flaw Everyone’s Freaking Out About


Practically every PC, laptop, tablet, and smartphone is affected.

Silicon Valley is abuzz about ‘Meltdown’ and ‘Spectre’ – new ways for hackers to attack Intel, AMD, and ARM processors that were first discovered by Google last year, and publicly disclosed Wednesday.

Meltdown and Spectre, which take advantage of the same basic security vulnerability in those chips, could hypothetically be used by malicious actors to “read sensitive information in [a] system’s memory, such as passwords, encryption keys, or sensitive information open in applications,” as Google puts it in an official FAQ.

The first thing you need to know: Pretty much every PC, laptop, tablet, and smartphone is affected by the security flaw, regardless of which company made the device or what operating system it runs.

The vulnerability isn’t easy to exploit – it requires a specific set of circumstances, including having malware already running on the device – but it’s not just theoretical.

And the problem could affect much more than just personal devices. The flaw potentially could be exploited on servers and in data centres and massive cloud computing platforms such as Amazon Web Services, Microsoft Azure, or Google Cloud.

In fact, given the right conditions, Meltdown or Spectre could be used by customers of those cloud services to actually steal data from one another.

Although fixes are already being rolled out for the vulnerability, they often will come with a price. Some devices, especially older PCs, could be slowed markedly by them.

Here’s what Meltdown and Spectre are. And, just as importantly, here’s what they’re not.

Am I in immediate danger from this?

There’s some good news: Intel and Google say that they have never seen any attacks like Meltdown or Spectre actually being used in the wild. And companies including Intel, Amazon, Google, Apple, and Microsoft are rushing to issue fixes, with the first wave already out.

The most immediate consequence of all of this will come from those fixes. Some devices will see a performance dip of as much as 30 percent after the fixes are installed, according to some reports. Intel, however, disputed that figure, saying the amount by which computers will be slowed will depend on how they’re being used.

The Meltdown attack only seems to work on Intel processors. You can guard against it with software updates, according to Google. Those are already starting to become available for Linux and Windows 10.

Spectre, by contrast, appears to be much more dangerous. Google says it’s been able to successfully execute Spectre attacks on processors from Intel, ARM, and AMD. And, according to the search giant, there’s no single, simple fix.

It’s harder to pull off a Spectre-based attack, which is why nobody’s completely panicking. But the attack takes advantages of an integral part of how processors work, meaning it will take a new generation of hardware to stamp it out for good.

In fact, that’s how Spectre got its name.

“As it is not easy to fix, it will haunt us for quite some time,” says the official Meltdown/Spectre FAQ.

What are Meltdown and Spectre, anyway?

Despite how they have been discussed so far in the press, Meltdown and Spectre aren’t really “bugs”. Instead, they represent methods discovered by Google’s Project Zero cybersecurity lab to take advantage of the normal ways that Intel, ARM, and AMD processors work.

To use a Star Wars analogy, Google inspected the Death Star plans and found an exploitable weakness in a small thermal exhaust port.

In the same way that two precisely-placed proton torpedoes could blow up the Death Star, so too can Meltdown and Spectre take advantage of a very specific design quirk and get around (or “melt down”, hence the name) processors’ normal security precautions.

In this case, the design feature in question is something called speculative execution, which is a processing technique most Intel chips have used since 1995, and one that’s common in ARM and AMD processors, too.

With speculative execution, processors essentially guess what you’re going to do next. If they guess right, then they’re already ahead of the curve, and you have a snappier computing experience. If they guess wrong, they dump the data and start over.

What Project Zero found were two key ways to trick even secure, well-designed apps into leaking data from those returned processes. The exploits take advantage of a flaw in how the data is dumped that could allow them – with the right malware installed – to read data that should be secret.

This vulnerability is potentially particularly dangerous in cloud computing systems, where users essentially rent time from massive supercomputing clusters. The servers in those clusters may be shared among multiple users, meaning customers running unpatched and unprepared systems could fall prey to data thieves sharing their processors.

What can I do about it?

To guard against the security flaw and the exploits, the first and best thing you can do is make sure you’re up to date with your security patches. The major operating systems have already started issuing patches that will guard against the Meltdown and Spectre attacks.

In fact, fixes have already begun to hit Linux, Android, Apple’s MacOS, and Microsoft’s Windows 10. So whether you have an Android phone, or you’re a developer using Linux in the cloud, it’s time to update your operating system.

Meanwhile, Microsoft told Business Insider it’s working on rolling out mitigations for its Azure cloud platform. Google Cloud is urging customers to update their operating systems, too.

It’s just as important to make sure you stay up-to-date. While Spectre may not have an easy fix, Google says that there are ways to guard against related exploits. Expect Microsoft, Apple, and Google to issue a series of updates to their operating systems as new Spectre-related attacks are discovered.

Additionally, because Meltdown and Spectre require malicious code to already be running on your system, let this be a reminder to practice good online safety behaviours.

Don’t download any software from a source you don’t explicitly trust. And don’t click on any links or files claiming you won $US10 million in a contest you never entered.

Why could the fixes also slow down my device?

The Meltdown and Spectre attacks take advantage of how the “kernels”, or cores, of operating systems interact with processors. Theoretically, the two are supposed to be separated to some degree to prevent exactly this kind of attack. However, Google’s report proves the current precautions aren’t enough.

Operating system developers are said to be adopting a new level of virtual isolation, basically making requests between the processor and the kernel take the long way around.

The problem is that enforcing this kind of separation requires at least a little extra processing power, which would no longer be available to the rest of the system.

As The New York Times notes, researchers are concerned that the fixes could slow down computers by as much as 20 percent to 30 percent. Microsoft is reported to believe that PCs with Intel processors older than the two-year-old “Skylake” models could see significant slowdowns.

Intel disputes that the performance hits will be as dramatic as The Times suggests.

Some of the slowdowns, should they come to pass, could be mitigated by future software updates. Because the vulnerability was just made public, it’s possible that workarounds and new techniques for circumventing the performance hit will come to light as more developers work on solving the problem.

What happens next?

Publicly, Intel is confident the Meltdown and Spectre bugs won’t have a material impact on its stock price or market share, given that they’re relatively hard to execute and have never been used (that we know of).

Meanwhile, AMD shares are soaring on word that the easier-to-pull-off Meltdown attack isn’t known to work on its processors.

However, as Google is so eager to remind us, Spectre looms large. Speculative execution has been a cornerstone of processor design for more than two decades. It will require a huge rethinking from the entire processor industry to guard against this kind of attack in the future.

The threat of Spectre means the next generation of processors – from all the major chip designers – are going to be a lot different than they are today.

Even so, the threat of Spectre is likely to linger with us far into the future. Consumers are replacing their PCs less frequently, which means older PCs that are at risk of the Spectre attack could be in use for years to come.

Meanwhile, there’s been a persistent problem with updating Android devices to the latest version of the operating system, so there’s likely to be lots of unpatched smartphones and tablets in use for as far as the eye can see. So would-be Spectre attackers are likely going to have their choice of targets.

It’s not the end of the world. But it might just be the end of an era for Intel, AMD, ARM, and the way processors are built.

Potential new approaches to treating eye diseases


Potential new approaches to treating eye diseases
These are high magnification images representing immunochemistry of IL-33 (green), Iba1 (red), and GFAP (yellow) in the central retina of a control eye and lesion and nonlesion areas of an AMD eye. The bright-field (BF) images show RPE loss in the AMD lesion site. Bars, 50 µm. Credit: Xi et al., 2016

Potential new approaches to treating eye diseases such as age-related macular degeneration (AMD) are described in a new study, “IL-33 amplifies an innate immune response in the degenerating retina,” in the February Journal of Experimental Medicine.

 AMD is a leading cause of vision impairment in old age, and is caused by the degeneration of cells in the retinal layer of the eye. Retinal cell death can be induced by phagocytic immune cells that infiltrate the tissue in response to injury or infection, but the molecular signals that trigger phagocyte invasion are largely unknown. A team of researchers led by Hongkang Xi and Menno van Lookeren Campagne, of the Department of Immunology at Genentech, Inc., in South San Francisco, Calif., discovered that a pro-inflammatory signaling protein, or cytokine, called IL-33, plays a key role in recruiting phagocytes to damaged retina and inducing .

Working with rats and mice, Xi and colleagues found that specialized called Müller glial cells release IL-33 in response to retinal injury. The cytokine then binds to its receptor on the surface of the Müller cells and induces the release of additional inflammatory proteins that attract phagocytes to the damaged retina. Blocking the IL-33 receptor inhibited this process and prevented injury-induced retinal degeneration.

The researchers also found that IL-33 levels are increased in the retinas of AMD patients, suggesting that the same pathway may occur in humans. Inhibiting IL-33 may therefore help treat AMD and other .

“This study for the first time shows increased expression of IL-33 in AMD and further demonstrates a role for glia-derived IL-33 in the accumulation of myeloid cells in the outer retina, loss of photoreceptors, and functional impairment of the retina in preclinical models of retina stress,” the authors note.

Adults with AMD are accurate, but slower in performing touch screen tasks


Older adults with central vision loss caused by age-related macular degeneration(AMD) have no problem with accuracy in performing touch screen tasks, according to a study in the October issue of Optometry and Vision Science, official journal of the American Academy of Optometry. The journal is published by Wolters Kluwer.

But their performance is slower–especially during the initial “exploration” phase of touch screen tasks, according to the new research by Quentin Lenoble, PhD, of Université Lille Nord de France and colleagues. The study provides initial insights into the best ways of adapting touch screen applications for use by the millions of people affected by AMD.

People with AMD Are Accurate, But Slower, in Using Touch Screens

Age-related macular degeneration is the leading cause of vision loss in older adults, causing serious impairment in driving, reading, and other daily tasks. “The advent of digital displays and use of computer screens has opened up many new possibilities for reading activities and travel aids for AMD sufferers,” comments Anthony Adams, OD, PhD, Editor-in-Chief of Optometry and Vision Science.

Dr. Lenoble and colleagues designed an experiment to see how AMD affected performance on a simple touch screen task. Twenty-four older adults with AMD were asked to explore scenes presented on a touch screen, and then to drag pictured objects to the corresponding scene–for example, matching a fish to the sea.

Their performance was compared with that of older adults without AMD, as well as young adults with normal vision. All three groups were highly accurate in matching the objects to the corresponding scene, with correct response rates of about 99 percent.

However, there were significant differences in the initial “exploration phase”–when participants were visually exploring the scenes presented on the touch screen. Average exploration time was about four seconds for AMD patients, compared to three seconds for older subjects with normal vision. For younger subjects, exploration time was significantly shorter: less than one second.

The younger participants also had shorter touch screen movement times. However, the two groups of older adults had similar movement speeds, whether or not they had AMD.

“This study shows that people with AMD are able to perform a task on a touch screen,” Dr. Lenoble and coauthors write. “They were slower during the exploration phase, but accuracy was not affected.” Based on this finding, the researchers suggest, “AMD impaired the perceptual but not the motor performance of the patients in this task.”

The authors note some limitations of their study–including the fact that it was performed using large, desktop-sized touch screen monitors. It’s unclear how AMD patients would be able to see and navigate the images presented on smaller screens, such as smartphones and global positioning systems.

But the results are an informative first step toward adapting touch screen applications for patients with AMD, and possibly with other visual impairments as well. “The advent of digital displays and use of computer screens has opened up many new possibilities for reading activities and travel aids for AMD sufferers,” says Dr. Adams. “This study suggests that there can be new strategies in making touch screen scenes and materials more identifiable to the many people with low vision caused by AMD.”

Eye Drops Could Treat Age-Related Macular Degeneration


A drop a day might soon keep blindness away. Researchers say they have found a possible treatment for age-related macular degeneration (AMD) — the leading cause of blindness among the elderly — that could be delivered via eye drops.

There currently is no cure for AMD, nor is there a treatment for its most common form, the so-called dry AMD, which affects 90 percent of AMD suffers. The new research, which was conducted in animals, could lead to treatment for people with AMD in the future, the researchers said.

There are two forms of AMD: a “dry” early-stage form characterized by a slow and progressive blurring of central vision, and a “wet” advanced-stage form characterized by further vision loss and the development of blood vessels in the back of the eye that can leak and damage surrounding tissues.

Nearly 2 million Americans ages 40 years and older have poor vision caused by AMD, according to the Centers for Disease Control and Prevention. Worldwide, as many as a third of all people over age 65 have at least some early form of AMD, according to a study published in 2012 in the journal Lancet. Almost all cases of wet AMD develop from dry AMD. [9 Healthy Habits You Can Do in 1 Minute (Or Less)]

Certain antioxidant dietary supplements, such as lutein, initially showed promise in treating AMD, but several large studies found no support for this. So, people with dry AMD can only wait and hope the disease doesn’t progress into debilitating vision loss.

Wet AMD is treated with repeated monthly or bimonthly injections, in the eye, of medication designed to inhibit the formation of new blood vessels, such as the cancer drug bevacizumab (known by its brand name Avastin).

In the new findings, the researchers at Tufts University in Massachusetts led by associate professor of ophthalmology Rajendra Kumar-Singh describe their work as a “proof of concept” study. They demonstrated, in mice, that a chemical called PPADS (short for pyridoxalphosphate-6-azophenyl-2′,4′-disulfonic acid) repairs AMD-induced damage to the eye.

Previous research has shown that AMD is caused in part by high levels of the membrane attack complex (MAC), which is a part of a normal, healthy immune system. The MAC typically forms on the surface of invading bacteria, poking holes through them and destroying them. In people with AMD, however, for reasons not entirely clear, the MAC also targets cells in the retina, killing them and causing a loss of vision.

In the new study, the researchers experimented with PPADS because it is thought to interfere with both MAC formation and new blood vessel growth.

Working with anesthetized mice, the researchers induced tissue damage and blood vessel growth characteristic of AMD. They then applied PPADS daily and, essentially, watched the drug heal the eye damage.

Kumar-Singh told LiveScience that the eye drops that ultimately could be used on people likely wouldn’t use PPADS, but rather a more refined drug.

This research is the first demonstration that a drug can slow the features of dry and wet AMD by topical application — that is, something that could be self-administered as eye drops.

“An ideal therapy would be one that can be self-administered daily by patients,” so that they can avoid uncomfortable injections, Kumar-Singh said.

Robert Mullins, an AMD expert and associate professor of ophthalmology and visual sciences at the University of Iowa, Iowa City, who was not part of the new research, said he was intrigued by the study.

“There is very strong support for the idea that MAC contributes to AMD, and that attenuating MAC could be helpful,” Mullins said.

However, he said that whether MAC is involved in AMD “is still an area of intense study.” If MAC injury is the source of the blood vessel degeneration seen in wet AMD, then local “small-molecule inhibition” as demonstrated with PPADS “holds exciting possibilities,” he added.

Christopher Wanjek is the author of a new novel, “Hey, Einstein!“, a comical nature-versus-nurture tale about raising clones of Albert Einstein in less-than-ideal settings. His column, Bad Medicine, appears regularly on LiveScience.

Real-world data at ARVO highlight transformational outcomes seen with Lucentis®, including lower injection frequency than in original clinical trials.


nova

 

 

  • UK real world study shows 59% reduction of legal blindness attributable to wet AMD since introduction of Lucentis with 9.7 injections spread over 5 years
     
  • New one year REPAIR data shows visual acuity improvement of 14 letters with an average of 3.6 Lucentis injections in myopic CNV patients
     
  • Largest Lucentis meta-analysis, over 10,000 patients, confirms well-established safety profile reported from extensive clinical trials and real-world experience

Novartis has reported that new data with the eye drug Lucentis® (ranibizumab), first licensed in June 2006, is highlighted in a total of 209 abstracts at the 2013 Association for Research in Vision and Ophthalmology (ARVO) annual meeting this week. This research across multiple retinal disease areas, including wet age-related macular degeneration (AMD), diabetic macular edema (DME), retinal vein occlusion (RVO) and myopic choroidal neovascularization (CNV), demonstrates that Lucentis with a wealth of real world long term experience is the pioneering anti-VEGF ocular treatment with its transformational efficacy, individualized treatment regimen, and well established long-term safety profile.

“Lucentis was designed to save sight and this is further demonstrated by the wealth of data in multiple disease areas reported at ARVO this week. In patients with myopic CNV average VA gains were 14 letters with an average of 3.6 injections,” said Dr Timothy Wright, Global Head Development, Novartis Pharma AG. “Real world evidence shows a lower number of injections and clinic visits than in the original studies with Lucentis, whilst achieving an over 50 percent reduction of blindness due to wet AMD.”

Lucentis ARVO highlights include:
Real world evidence in wet AMD: One study looked at how Lucentis treatment impacted the rates of legal blindness secondary to wet AMD in Scotland, UK. Blind registration data from the Royal National Institute for the Blind was retrospectively analyzed. It was reported that since the commencement of treatment with Lucentis there was a 59% reduction in the incidence rate of legal blindness attributable to wet AMD. The mean number of clinic visits decreased by year, with 9.0 in year one, 5.8 in year two, 4.8 in year three, 2.3 in year four and 0.5 in year five; the average number of injections was 9.7 spread over 5 years. This study highlights how the transformational efficacy of Lucentis translates into clinical real-world practice[1]. [Oral session 118]

DME: The response rates were evaluated in patients with DME in the RESTORE trial. Patients were treated with Lucentis 0.5 mg (monotherapy or combined with laser) or laser alone for a duration of 12 months, at 12 months all patients were eligible for Lucentis 0.5mg as-needed and the study was extended to 36 months. The patients who responded better to Lucentis treatment were the ones who were more recently diagnosed with DME, highlighting the need for prompt therapy[2]. [Poster session 290]

Myopic CNV: In the prospective, multicenter trial of Lucentis in myopic CNV patients, the REPAIR study, the primary endpoint was the mean gain in letters from baseline visual acuity at 12 months. At month 12 the mean visual acuity gain was 13.8 letters, this was achieved with a low number of injections to month 12 (mean 3.6, median 3) with 21% patients requiring only the one baseline treatment[3]. [Poster session 314]

Safety profile of Lucentis: In the largest comprehensive evaluation of Lucentis safety data to date, a meta-analysis examining the systemic safety profile of Lucentis across 22 studies and 10,300 patients, the safety profile of was reported to be consistent with that from individual randomized, controlled clinical trials[4]. [Poster session 234]

LUMINOUS, a 5-year, global, prospective, observational, long-term study to evaluate the safety and effectiveness of Lucentis 0.5 mg across its licensed indications is being conducted. This global study, approximately 500 centers in 34 countries worldwide, aims to enroll 30,000 patients. The baseline characteristics of the first cohort of patients enrolled were as expected and are representative of patients from a real-world setting[5]. [Poster session 375]

About Lucentis® (ranibizumab)
Lucentis is a humanized therapeutic antibody fragment designed to block all biologically active forms of vascular endothelial cell growth factor-A (VEGF-A). Increased levels of VEGF-A are seen in wet AMD and other ocular diseases such as diabetic macular edema (DME) and retinal vein occlusion (RVO). Lucentis was specifically designed for the eye, minimizing systemic exposure.

Lucentis is licensed for the treatment of wet AMD in more than 100 countries, in more than 90 countries for the treatment of visual impairment due to DME and in 90 countries for visual impairment due to macular edema secondary to RVO, including both branch- and central-RVO. Novartis submitted regulatory approval for Lucentis for the treatment of myopic CNV in the European Union in the third quarter of 2012. In many countries, including those in Europe, Lucentis has an individualized treatment regimen with the goal of maximizing visual outcomes while minimizing under- or over-treating patients.

Novartis and Alcon sponsor the eXcellence in Ophthalmology Vision Award (XOVA). XOVA is an annual award launched in 2010 that provides funding to non-profit initiatives and projects that will have a positive impact on improving the quality of eye care and make a significant impact in addressing unmet needs in the fields of ophthalmology and optometry.

Lucentis has a well-established safety profile supported by 43 extensive sponsored clinical studies and real-world experience. Its safety profile has been well established in a clinical development program that enrolled more than 12,500 patients across indications and there is more than 1.7 million patient-treatment years of exposure since its launch in the United States in 2006.

Lucentis was developed by Genentech and Novartis. Genentech has the commercial rights to Lucentis in the United States. Novartis has exclusive rights in the rest of the world. Lucentis is a registered trademark of Genentech Inc.

Source: Novartis newsletter