Software developers are working to release fixes and updates to protect computers and mobile devices from two security flaws discovered by a team of researchers from Google Project Zero working with academia and cybersecurity firms. The flaws, known as “Meltdown” and “Spectre” affect computing devices with chips from Intel Corp, Advanced Micro Devices Inc., and ARM Holdings. “Phones, PCs, everything are going to have some impact, but it’ll vary from product to product,” Intel CEO Brian Krzanich said in an interview with CNBC last Wednesday afternoon.
Meltdown affects laptops, desktops, and internet servers with Intel chips, allowing hackers to access a computer’s offline and online data, including passwords saved in web browsers, by circumventing the hardware barrier that exists between computer applications and memory. The flaw is specific to Intel, but Intel and ARM claim the issue is not a design flaw. Major operating systems Microsoft, Apple, and Linux insist that users will be required to download a software update to fix the issue.
Spectre affects chips in smartphones and tablets, as well as computer chips from Intel and AMD. It allows hackers to manipulate applications into leaking user and computer data.
A disclosure date for the security flaws had been coordinated for January 9, but the researchers decided to notify the public last week “because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation.”
Graz University of Technology researcher Daniel Gruss, who helped discovered Meltdown, called it “probably one of the worst CPU bugs ever found.” He added that Meltdown was the more serious security issue in the short term but could be fixed with software patches, but Spectre will be a more serious problem in the long term and more difficult to patch, though it is harder for hackers to exploit.
The Register, a tech publication who first reported the flaws, claim that fixes could cause Intel chips to operate five to thirty percent more slowly. Intel has denied that its chips, once updated with the security patches, would cause computers to operate slowly. “Intel has begun providing software and firmware updates to mitigate these exploits,” Intel said in a statement. “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Google reports that Android phones with the latest security upgrades are protected, so are its Nexus and Pixel phones. Gmail users do not need to take any additional action to protect their accounts, but users of Chromebooks, Chrome web browser, and many of its Google Cloud services will need to install updates.
Most internet servers operated by Amazon Web Services (AWS) have been patched, but many AWS customers have noticed that since the security patch was issued in December, there has been an increase in CPU utilization. Amazon, responding in a statement, said the patch should not impact most customers’ workload but the company would work with customers who have been impacted.
For more: Meltdown and Spectre