A major security flaw has been discovered in virtually all computer processors produced by Intel, ARM and AMD. If exploited by hackers, the flaw has the power to put almost every computer, smartphone and cloud network at risk of attack, and their data open to theft.
Intel, ARM and AMD are aware of the flaw and clients like Microsoft, Apple and Google have been working on a fix for some time. But where such information is usually kept private between manufacturers and cybersecurity researchers before going public, this time news of the flaw has leaked ahead of an agreed disclosure date of January 9.
Because the flaw is on hardware, computers running almost any operating system - such as Windows, macOS and Linux - are affected, and researchers say the bug is likely to be found on processors dating back to 1995.
Intel produces processors for around 80 percent of all desktop computers and 90 percent of laptops sold worldwide. The flaw also affects smartphones, tablets and other portable gadgets which use the compromised chips. Potentially billions of devices are at risk of attack and in need of an update from their manufacturers to plug the hole.
Security patches are incoming
Google, which was involved in discovering the flaw, says Android devices were vulnerable, but those running a security update issued on January 2 are now protected. Chrome users will be protected when a new software update arrives on January 23. Google Home and Chromecast users are not affected.
Microsoft has released an emergency patch to protect all Windows 10 devices, with further updates planned soon. The company said: "We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM and AMD."
Meltdown and Spectre were supposed to remain classified until January 9Graz University of Technology
Discovered by a team of security researchers working with Graz University of Technology in Austria, the flaws are called Meltdown and Spectre, the latter of which covers two separate types of vulnerability.
A dedicated website produced by the university states: "These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents."
The problem lies in a system called speculative execution. This is where a processor predicts which calculations it could do subsequently instead of sequentially. The calculations are then solved in advance if the processor thinks this will save time; some power is wasted, but the task is completed more quickly, to the benefit of the user. The problem lies in how processors don't check permissions correctly while completing these calculations out of order, leaving information about speculative commands in the open and potentially visible to malicious applications.
As the dedicated website explains: "Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows the memory, and thus also the secrets, of other programs and the operating system."
Spectre, meanwhile, is said to "break the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets." The website adds: "In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre….it will haunt us for quite some time."
Security expert Graham Cluley said in a blog post: "The very real fear is that attackers could exploit the flaw on vulnerable systems to gain access to parts of the computer's memory which may be storing sensitive information. Think passwords, private keys, credit card data…".
Cluley added: "The bad news is that no one likes to make such low level security updates, particularly under such time-sensitive conditions. Inevitably some businesses will find themselves disrupted by the process. Going forward, the fact that the operating system has to do more because Intel chips have dropped the ball, may mean that some computer operations take a performance hit."