The latest updates on those devastating computer chip flaws just get worse and worse: A group of security researchers, including one from Google’s elite Project Zero security team, warns that the two critical vulnerabilities collectively could give hackers access to passwords and other data on most PCs, cloud servers, and smartphones around the world.
The researchers claim one weakness, called Meltdown, is present on most Intel processors released since 1995. A second exploit, dubbed Spectre, could expose data on even more systems, they write.
“Almost every system is affected by Spectre: desktops, laptops, cloud servers, as well as smartphones,” they write. “More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.”
Both potentially allow hackers to exploit optimizations in modern processing chips in order to indirectly access data from other software running on the machine. That could mean stealing passwords or data from a password manager or web browser, or, in some cases, even peering into information belonging to other users of a shared cloud server.
Affected devices don’t let hackers access secured information directly, but certain carefully designed operations run at different speeds depending on the data stored at different points in memory. That lets nefarious users effectively determine the values of system data or other people’s information byte by byte by process of elimination, almost the digital equivalent of holding a stethoscope to a bank safe. The researchers wrote that they don’t know if either vulnerability has actually been exploited by hackers.
And while attackers harnessing Meltdown can be blocked by updates being rolled out for popular operating systems, the researchers say Spectre might be a more stubborn target. In some cases, it might be possible to upgrade microcode–extremely low-level instructions that help implement more complex functionality on modern processors–to prevent Spectre attacks, and it may be possible to patch some software to reduce vulnerabilities. But that may not stop all possible attacks, warns Paul Kocher, one of the researchers who discovered Spectre.
“Still, the hardware nature of the issue means it’s going to be a slow and messy mitigation process,” he writes in an email to Fast Company.
Software fixes to Meltdown could also slow down various processes running on affected computers, though Kocher says different computer workloads will be affected in different ways. Some experts cautioned certain use cases could see a slowdown of as much as 30%, The New York Times reported, but Intel said in an early statement that for average users, the effects “should not be significant and will be mitigated over time.”
Intel and Microsoft officials each emphasized they had no evidence the issues had been exploited, and Google’s Android unit said it was unaware of “any successful reproduction of these vulnerabilities that would allow unauthorized information disclosure on any ARM-based Android device.”
News of the vulnerabilities leaked earlier than many in the industry expected, Intel CEO Brian Krzanich said in an interview with CNBC. The Register, a tech news site based in the United Kingdom, reported Tuesday that a vulnerability existed.
In its statement, Intel refuted earlier rumors implying that it alone is vulnerable to the newly discovered attacks and urged users to install patches released by operating system makers.
“Based on the analysis to date, many types of computing devices–with many different vendors’ processors and operating systems–are susceptible to these exploits,” according to Intel. The company provided a bug bounty to the researchers, they said in announcing the vulnerability.
Similarly, chipmaker Arm said only a subset of its processors are affected and that the relevant flaw could only be exploited if malware was able to run on a machine.
“Arm takes all security threats seriously and we encourage individual users to ensure their software is up-to-date and always follow good security practices,” the company said in a statement to Fast Company. “Please note that our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.”
And AMD said there “is a near zero risk” to its processors, CNBC reported. In a statement, the company said that the only attack variant that it’s spotted affecting its chips can be fixed through operating system or software fixes with “negligible performance impact.” The chipmaker didn’t immediately respond to an inquiry from Fast Company.
Hardware vendors, operating system makers, and cloud computing companies quickly announced early steps to address the issues Wednesday. Leading cloud provider Amazon announced Wednesday afternoon that the vast majority of its Elastic Compute Cloud instances were “already protected” and that others would be updated within a few hours. The company also urged customers to update the operating systems running on their cloud servers.
A patch for the Linux operating system kernel is available, and a Microsoft spokesperson said in an email Wednesday that the company was rolling out fixes for its cloud servers and operating systems.
“We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel,” the spokesperson wrote.
Google also released an update for Android that should help limit such attacks. Apple didn’t immediately respond to an inquiry from Fast Company, though the researchers said a patch is available for Mac OS X.
Still, entirely preventing leaks from Spectre, in particular, may take some time.
“As it is not easy to fix, it will haunt us for quite some time,” the researchers wrote.