Almost all microprocessors used in computers, phones, servers and more are affected by a massive security flaw. Two major hacks have happened at once.
Security flaws are unwittingly competing to outdo each other. The latest, called Meltdown and Spectre, have the potential to be some of the most widespread yet. It's likely they will impact all computer processors on the market and completely eradicating them will take a serious amount of time.Both Spectre and Meltdown have the ability to be one of the biggest tech security vulnerabilities discovered. Easily ranking alongside Heartbleed, Krack and Shellshock. Here's what we know so far.
What on Earth's happened?
Two security problems impacting microprocessors have been discovered by researchers, from Google, a number of universities as well as other independent analysts.Meltdown specifically impacts chips created by Intel that are being used now, and stretches back to processors created in 1995. Intel's microprocessors are used in the majority of the world's PCs and many servers that underpin cloud and web hosting services – such as Amazon Web Services.
And Spectre is a problem that's persistent across chips from the world's other big designers and manufacturers: ARM and AMD. It's persistent in the products from multiple manufacturers as the issue stems from a design flaw. Chips from all the impacted companies are also used in mobile phones.
For a grasp of the scale of the vulnerabilities, Amazon says they have "existed for more than 20 years in modern processor architectures".
The issues were first reported by The Register.
So, what do the vulnerabilities do?
As with all major vulnerabilities of recent times, this pair of attacks has its own website. "These hardware bugs allow programs to steal data which is currently processed on the computer," it explains.It's possible for data to be stolen as the vulnerabilities allow for software to read the memory of other running programs. While Spectre and Meltdown technically can be exploited in different ways, they both allow for the isolation an operating system should have to be broken. In theory, they allow data to be stolen from any running programs: passwords, documents, emails all have the potential to be taken.
On a wider scale, the makers of the Firefox browser have said they've found that similar techniques as in Meltdown and Spectre could be used to slurp data from browsers. It stresses these were found through internal experiments and has implemented a short-term fix.
Are they being used?
At the moment, there have been no reported uses of Meltdown or Spectre in the wild. Researchers have described proof-of-concept uses of the vulnerabilities, which means it is possible they could be replicated by someone or a group wanting to exploit the problems. Spectre is harder to exploit than Meltdown.Should I be flustered?
If you're an IT administrator you should definitely be hot under the collar. Vendors of products affected include: AMD, Apple, ARM, Google, Intel, Linux Kernel, Microsoft, and Mozilla.Thankfully, for those with an 'Intel inside' there's a patch that can mitigate the problems. As a result, manufacturers have already started to issue updates for their systems. Everyone with an impacted device should install the updates from its creators as soon as possible. Patches could slow down a machine by as much as 30 per cent. Intel has disputed the performance drop findings saying they're over-exaggerated.
But, overall, if the Meltdown updates aren't installed then there's the potential for Meltdown to be used in the real-world and data being stolen. We've listed the patches below.
READ NEXT
Uber tried to cover up a hack that hit 57 million customersUber tried to cover up a hack that hit 57 million customers
By MATT BURGESSThere's a catch though; a fix for Spectre hasn't been created. Short of one being made, the only way the issue will be fully eradicated is with new microprocessors. It seems unlikely that manufacturers will ship replacements for the millions of machines affected. This could leave us with the unsatisfactory result of Spectre only being fully fixed when all affected products aren't used anymore. Given the reliance on legacy hardware by companies and governments, this could easily be another decade.
CERT, which deals with and catalogs cybersecurity issues, assessed Meltdown and Spectre rather bluntly. "Fully removing the vulnerability requires replacing vulnerable CPU hardware," it says.
What patches are there?
Google: The firm is in the process of issuing an array of updates for its devices and products. Android will get an update on January 5, Chrome on January 23 and some affected Chromebooks had a mitigation in its OS 63, which was released in December.Microsoft: The company says a patch has been made available for Windows 10 machines and it will automatically be applied. For older operating systems, The Verge reports, a fix will be available next week. Microsoft says the majority of its Azure infrastructure has already been updated.
Apple: The company has not publicly commented on the issue. However, security researcher Alex Ionescu says macOS 10.13.2 has mitigations for the flaws.
Linux: The operating system already has a patch.
Amazon: Its web services, which underpin a large amount of the internet, have all been updated, the company says.
Source: http://www.wired.co.uk/article/spectre-meltdown-cpu-vulnerability-security-flaw-fix-patches-updates
So is this a good time to invest in AMD?
Definitely, their stocks should rise in my prediction.