Two major vulnerabilities in processing chips from Intel, ARM, and AMD—affecting almost all computers, servers, cloud operating systems, and cellphones made in the past two decades—were revealed by security researchers on Wednesday.
The flaws, which were given the 007-esque monikers Spectre and Meltdown, could allow unauthorized actors to steal passwords, emails, credit card info, and a host of other data stored on a computer’s memory, though Intel claims that they should not allow anyone to “corrupt, modify or delete data.” Multiple research groups, including Google’s Project Zero, discovered the issue independently over the past year, though they kept their findings under wraps with nondisclosure agreements until they could develop fixes.
Are you affected by the bug? “Most certainly, yes,” reads the FAQ page on a website that security researchers created to address the flaws. There are a number of ways to at least partly protect yourself, which mostly involve looking to see whether your devices and browsers are all appropriately updated, though some users may have to wait for the next few weeks as not all companies have released comprehensive patches. Your devices may also slow down a bit after the fixes are in place.
Google, Microsoft, and other companies have released patches that mitigate Meltdown. Because Meltdown compromises the hardware barrier between applications and core memory, the fix involves altering an operating system’s memory functions. While the patches should protect users’ data, they could also slow computer performance by anywhere from 5–30 percent, according to preliminary estimates by the Register. Intel, however, stated that the effects “should not be significant and will be mitigated over time” for “the average computer user.”
Software patches aren’t enough to fully mend Spectre, which fools applications into divulging restricted data. Users will have to wait for processor redesigns in the next generation of chips. Fortunately, it is more difficult for hackers to take advantage of Spectre.
Nonetheless, there are a number of ways that hackers may exploit the flaws. According to the New York Times, they could theoretically purchase cloud space and then steal info from other customers on the server because the vulnerability makes it possible to bypass the protections that partition user data. Hackers are also able to tap into computers if they can find ways to trick victims into downloading malicious software onto their devices.
Although there have been no documented cases of the vulnerabilities being maliciously exploited as of yet, security experts are urging users to take pre-emptive measures by checking to see if there are updates for their browsers and devices. Those who use Firefox, Internet Explorer, and Edge should make sure that they have the latest versions of the browsers, which all have fixes. Google will release a new version of Chrome with a patch on January 23rd.
Windows 10 users should ensure that they received the automatic update released on Wednesday, while those who have older systems, such as Windows 7 and Windows 8, will have to wait until next Tuesday to get the update. The Verge also advises that people with Windows computers should make sure that BIOS updates from Dell, HP, Lenovo, and other manufacturers are installed. There is also reportedly a partial fix right now for macOS 10.13.2, while the currently unreleased macOS 10.13.3 will have a more comprehensive solution.
Amazon, Microsoft, and Google have also patched their cloud services that use Intel processors. Amazon has scheduled a maintenance period between Friday and Saturday to further address the issue, while Microsoft is planning to do so next Wednesday.