Vulnerabilities could affect just about all modern computers, servers and mobile devices. Here's what you should do.
A serious design flaw reportedly present in all Intel processors made in the past ten years could leave devices vulnerable to hackers, requiring an operating system update in order to fix it – and it looks like ARM and AMD are similarly at risk.
The first so-called Meltdown flaw allegedly affects all systems running Intel x86 chips and is present across all popular operating systems, including Windows, Linux and macOS, but is currently under embargo, meaning the full details of the bug are yet to be officially announced. A second flaw, dubbed Spectre, affects Intel, AMD and ARM chips.
This means that just about all modern PCs, laptops, servers and mobile devices are potentially affected, although we should stress that these are vulnerabilities only, and there have been no reports yet of malware or attacks that have exploited the vulnerabilities.
However, the major problem for users is that a patch to the flaw could cause significant declines in performance for the affected machines, the publication said. These slowdowns could impact performance by as much as 30%, depending on the task and the processor model – although Intel says the impact for the average computer user “should not be significant”.
Nevertheless, the Federal Government’s StaySmartOnline service recommends downloading patches (for your devices and operating systems) as soon as they become available.
The vulnerabilities explained
A security blog post from Google researchers explains that its Project Zero team found serious security flaws in Intel, AMD and ARM chips caused by “speculative execution” – a technique used by most modern processors to optimise performance – last year.
Project Zero researcher Jann Horn showed that hackers could take advantage of this flaw to read system memory that should be out of bounds. For example, they could use the bug to read passwords, encryption keys or private data in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine.
“These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them,” according to the blog.
As soon as Google learned of the attack, it said it updated its systems and affected products. It also began working with hardware and software manufacturers to help protect their users and the web.
Google has published a technical breakdown ahead of the 9 January scheduled release. Microsoft is also expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday this month, after seeding them to beta testers running fast-ring Windows Insider builds in November and December.
Big (potential) trouble for businesses
A software developer who runs a popular Tumblr called Python Sweetness has blogged about the potential trouble this flaw could cause businesses once it's made official. The developer warned that “from everything I've seen, including the vendors involved, many fireworks and much drama is likely” when the embargo lifts.
“In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualisation environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer,” the developer explained.
“I would not be surprised if we start 2018 with the release of the mother of all hypervisor privilege escalation bugs, or something similarly systematic as to drive so much urgency, and the presence of so many interesting names on the patch set’s CC list.”