Late Jan. 2, tech publisher, The Register, reported two security flaws that they say could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel corp, Advanced Micro Devices Inc. (AMD) and ARM Holdings. One of the bugs will put laptops, desktop computers, smartphones, tablets and internet servers alike at risk. The next day, security researchers disclosed. The two security flaws were first discovered by researchers with Alphabet Inc’s Google Project Zero, in conjunction with academic and industry researchers from several countries.
The first of the two flaws is Meltdown, which affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers reading a computer’s memory and steal passwords. The second, called Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.
Daniel Gruss, one of the researchers at Grusz University of Technology, discovered Meltdown and said it may be one of the worst CPU bugs in history. For now, Meltdown is a short term concern as it can be handled with patch fixes. Spectre on the other hand is a broader bug that applies to virtually all computing devices, making it harder for hackers to take advantage of but is also less easily patched. Spectre has the potential of growing into a much larger and more serious long term issue than the Meltdown flaw.
The researchers who discovered the flaw say Apple Inc. and Microsoft Corp has patches ready to be deployed for desktop computer affected by Meltdown. However, it has been reported by The Register that the patches used to fix the flaws could cause Intel chips to run five to 30 percent slower. Intel has denied this claim and Intel CEO Brian Krzanich told CNBC News, “Phones, PCs, everything [is] going to have some impact, but it’ll vary from product to product.” Krzanich insists the issue was not a design flaw, but it will require users to download a patch and update their operating system to fix.
However, it was also revealed that both vulnerabilities have been around since 1995 and rely on “speculative execution,” which is when your computer tries to guess what you’ll do next so it can perform that task faster and due to the way data is stored, this creates a vulnerability that could give hackers access to other private information on computers. Google, Microsoft, and Apple have been able to quickly release patches. While Apple released a series of patches with macOS 10.13.12 and iOS 11.2 back in December, Microsoft has been having issues with their ‘fixes’. Some users reported Microsoft’s patches to have left their AMD chipped devices inoperable. Due to complains, Microsoft has halted the release of these patches and is working towards creating a newer patch that will correct issues caused by the original ones.
Those who are concerned about the status of their devices can refer to PCWorld’s article, which breaks down what needs to be done for specific devices (namely Apple and Microsoft products) to be protected against the Meltdown and Spectre CPU flaws.