Two major security flaws affecting nearly every modern computer processor unit (CPU) made in the past 20 years could potentially leave millions vulnerable to attack. Security researchers, including a member of Google's Project Zero team, uncovered a design technique flaw that could allow malicious hackers to access nearly any data stored on an affected device.
The researchers discovered two flaws dubbed Meltdown and Spectre that could allow an attacker to compromise the privileged memory of a processor and access passwords, encryption keys and proprietary information open in applications.
The flaws potentially affect nearly all processors built in the last two decades and impact nearly any device that uses the hardware, from computers and servers to smartphones.
"These hardware bugs allow programs to steal data which is currently processed on the computer," the researchers wrote. "While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents."
Meltdown was independently discovered by researchers from Google's Project Zero, the Technical University of Graz in Austria and the security firm Cerberus Security in Germany. Spectre was uncovered by Project Zero and independent researcher Paul Kocher.
What is Meltdown?
Meltdown affects Intel processors and other modern processors that use speculative execution to optimise performance.
"Meltdown breaks the most fundamental isolation between user applications and the operating system," the researchers said, noting that it exploits the side effects caused by out-of-order execution on modern processors to read arbitrary kernel-memory locations such as personal data and passwords.
This attack does not exploit any software vulnerability but instead targets the side-channel information available on most modern processors that implement out-of-order execution. Chips going back to 2011 were tested and found to be vulnerable. The researchers noted that essentially every processor since 1995, except for Intel Itanium and Intel Atom before 2013, are potentially affected.
It is unclear whether ARM and AMD processors are also affected by Meltdown.
Meltdown could also potentially be applied to different cloud service providers.
What is Spectre?
Spectre, on the other hand, affects Intel, AMD and ARM processors and essentially tricks applications into accidentally leaking confidential information that would otherwise be protected and stored inside the target's physical memory.
"Almost every system is affected by Spectre: Desktops, laptops, cloud servers, as well as smartphones," the researchers noted. "More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. As it is not easy to fix, it will haunt us for quite some time."
Are you affected by the bug?
"Most certainly, yes," according to the researchers since both flaws are at the architecture level.
Is there a fix?
Intel said in a statement that it is "working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors to develop an industry-wide approach to resolve this issue promptly and constructively".
"Intel has begun providing software and firmware updates to mitigate these exploits," the company noted.
Multiple publications reported that these patches will likely cause significant slowdowns as high as 30%. However, Intel disputed this saying any speed issues would be "workload-dependent", won't be significant and will eventually be "mitigated over time".
Intel and ARM said the exploits will be patched in upcoming software updates from them and operating system makers. ARM confirmed its Cortex-A processors are vulnerable but said "the majority" of its chips are not impacted.
AMD said the exploit has little impact on any of its processors. However, the researchers said they have verified Spectre on ARM processors as well.
In a blog post, Google said the issue has already been mitigated in many of its products or the vulnerability did not exist in the first place in others. In some cases, users may need to take additional steps to make sure they are using a protected version of a product. An upcoming browser update called Chrome 64 will offer protections against the exploits once rolled out on 23 January.
Microsoft has already released an emergency patch for all devices running Windows 10 and will soon deploy additional updates for older versions of Windows on Patch on Tuesday.
Amazon Web Services said: "All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications."
Apple has reportedly issued a partial fix in macOS 10.13.2 and will continue to fix the issue in 10.3.3.
"As they are hardware bugs, patching is a significant job," Ido Naor, senior researcher at Kaspersky, told IBTimes UK. "Patches against Meltdown have been issued for Linux, Windows and OS X, and work is underway to strengthen software against future exploitation of Spectre.
"It is vital that users install any available patches without delay. It will take time for attackers to figure out how to exploit the vulnerabilities – providing a small but critical window for protection."
The flaws were actually discovered in the middle of 2017 and researchers were scheduled to publish their findings next week on 9 January. However, a report by The Register on the exploit forced the researchers and affected companies to address the issue sooner.