Yesterday we told you about a major 'design flaw' in Intel computer processors that puts your computer at serious risk. The design flaw could let hackers get your passwords, login info, and security keys.
This flaw is now officially known as Meltdown and it is reported to affect Intel chips made within the last decade.
There is a fix coming very soon, but there is one really bad side effect. It will slow your computer down by up to 30 percent and there is nothing you can do about it. This will hurt a lot of people and businesses.
Now, there is another new flaw in all computer processors including home computers, mobile devices, and servers. This is real bad, there is no fix yet and some believe there won't ever be.
This flaw affects ALL chip manufacturers
This second flaw is dubbed as Spectre and it can potentially be even worse than Meltdown.
First, unlike Meltdown, which reportedly only affects Intel chips, the Spectre bug can impact chips from every major manufacturer - ARM, AMD, and Intel. This puts almost every computer, smartphone and tablet at risk of Spectre attacks.
Secondly, while Meltdown can be addressed with software patches, Spectre appears to be a fundamental flaw in how processors work and a software patch may not be able to fix it.
Fortunately, on the flipside, it looks like Spectre is harder to exploit than Meltdown.
Speculative execution: the heart of these flaws
Both Meltdown and Spectre exploit a process called "speculative execution," a capability built into every modern processor.
This process makes chips faster by allowing them to predict what tasks your gadget may need and execute them beforehand whether you actually need a task or not. If a task is not needed, then it is discarded.
As demonstrated by Google's Project Zero team, attackers can then exploit flaws caused by this predictive process to access protected areas of a system's memory.
Due to how data is being cached in these areas, hackers can then read and steal sensitive information such as passwords, encryption keys, login info and even files. Anything cached is fair game.
Keep in mind that these flaws are entirely a new class of attacks, meaning, this is the first time a processor's "speculative execution" process has been found to be exploitable.
Since this process is being used as a core optimization technique by all modern chips, this discovery will potentially change everything and it will require a redesign of how chips work. Yep, it really sounds bad, folks.
Note: Meltdown is known as Variant 3 of this type of attack, specific to Intel chips. Spectre attacks are Variants 1 and 2 and these are said to impact AMD, ARM, and Intel chips.
Intel confirmed that the design flaws exist and it is working on a solution that will not significantly bog down computers. Since Meltdown is the only variant that is currently patchable via software, we're assuming that the company is referring to this specific flaw.
The company also stated that the problem is not unique to Intel chips. Technically this is true because, as mentioned earlier, the Spectre variants affect AMD and ARM chips, as well.
Intel also disputes the claims regarding the performance hits that the fix will bring. The company stated that the slowdowns are dependent on the tasks at hand and average users will not be significantly affected.
"Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," Intel wrote in an official statement.
Furthermore, Intel stated that its updates for all types of Intel machines will render them immune from BOTH Meltdown and Spectre attacks.
Advanced Micro Devices aka AMD, also issued its own statement regarding these flaws. Contrary to earlier reports that stated that AMD processors are impacted by at least one Spectre variant, AMD believes that its chips are not vulnerable to all three variants of the attack, including Spectre.
According to AMD:
"To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."
Since the Spectre flaw is apparently a fundamental design flaw in virtually all modern chips made in the last 20 years, we'll have to wait for third-party security researchers to confirm AMD's claims.
Google's Project Zero wrote that there is no single fix for all variants and each requires a specific method of protection.
Fortunately, it is believed that the vulnerabilities have NOT been exploited as of yet and there is no evidence that hackers have abused or are actively abusing them. Technical details about the flaws are still scarce, buying hardware and software vendors some time.
However, since the existence of these flaws is now publicly known, issuing patches and security updates to mitigate these flaws will be the first order of business for hardware and software vendors.
As we mentioned earlier, Intel's patches for Meltdown are now being prepared for Windows, MacOS and Linux machines. Linux patches are already available and the Windows fix will be likely included in this month's Microsoft Patch Tuesday Updates. Note: According to some reports, Apple already partially addressed the Meltdown flaw in macOS 10.13.2.
Spectre, on the other hand, likely can't be fixed by a simple software patch and security pundits are saying that it might take a new generation of chips to completely eradicate it. Hopefully, updates can still be issued to at least lessen its potency.
As bad as it looks, there's actually no real reason to panic. Performance hit or not, the incoming patches should mitigate Meltdown's flaw. Spectre is difficult to execute so its widespread impact will be fairly limited.
Since these flaws still require malicious code to execute on your computer or gadget, following basic computer safety precautions should protect you in the meantime.
A few questions
With these revelations, we can't help but pose some interesting questions. First, why did it take more than 20 years to discover these flaws? Does it take extensive technical and software engineering skills to pull them off in the first place?
Did the chip makers know something that they didn't want the rest of the computing world to know? Considering it will require a total rethinking of how chips are designed, didn't they factor how they can affect a processor's speed?
Are they expecting us to relegate all our old flawed gadgets to that big tech recycle bin and wait for newer chips that, of course, will be immune to these flaws? Just asking.
Security flaw in web browser autofill tools can steal your data
Speaking of flaws, here's another unrelated threat you need to know about. Browser autofilling is one of the conveniences of modern web browsers. But you have to read about this latest flaw that can turn this convenience into a tool that can track you and even steal your information! Click here to read more about this threat.