Right now, you might be staring at a device harbouring a major security flaw which could leak all your secrets. A 20-year-old computer chip flaw that has left billions of smartphones, computers, cloud storage, tablets and laptops vulnerable has been revealed - here’s what we know so far.
What are the flaws?
Two bugs dubbed Meltdown and Spectre could leak passwords, sensitive data including cryptocurrency wallets, personal photos, emails, instant messages and confidential business documents, a group of independent security experts have warned.
If your operating system has not been patched it may not safe to work with sensitive information without running the risk of leaking the information - this applies to working on your PC or storing documents in cloud infrastructure (saving it in online, for example).
Why do we only know now?
The flaw has existed in chips dating back 20 years but was disclosed some months ago to chip makers Intel, ARM and AMD, companies which have been working behind closed doors along with software giants to help create a fix for customers using their hardware.
What are they doing about it?
Intel cannot fix the flaw directly, but operating systems developers including employees at Microsoft, Google and Apple have created several “workarounds” that they claim solve the issue, but might slow performance of devices.
How does the bug work?
First, a computer needs to be infected with malware, but this could be as easy as luring a user to a website. Simply visiting the site would allow a hacker to use one of the exploits, Spectre, on their victims’ device.
What is Meltdown?
Meltdown, or CVE-2017-5754, allows a piece of code (which could be sent maliciously) to access the hardware memory - which includes all the private information stored in an operating system It affects desktop, laptop and cloud computers and effectively any device running an Intel processor since 1995 (apart from Intel Itanium and Intel Atom before 2013). It is unclear whether AMD and ARM processors are affected.
What is Spectre?
Spectre, or CVE-2017-5753 and CVE-2017-5715, works by allowing hackers to trick other programs into leaking secrets. Billions of devices are affected, including smartphones. Spectre is believed to be tougher to fix and “will haunt us for quite some time,” according to the academics who discovered it.
Has anyone used this yet?
To use this exploit would require expert level knowledge, more likely to be the work of nation state cyber sleuths or criminal gangs. The fact that it has been around for almost 20 years is a cause for concern however there is no evidence of any exploitation yet, according to Intel. Put simply, nobody knows.
What should I do about it?
Businesses should check with operating system vendors or system manufacturers and apply updates as soon as they become available. Amazon Web Services said most servers were patched by Wednesday evening, although customers would need to patch their operating systems too. Microsoft Azure has been patched.
Normal users running computers and smartphones should make sure their software is up to date.
Microsoft is understood to be sending out patches to Windows 10 customers on Thursday but has not commented on whether these will patch earlier versions. In a post on its support site, it said that customers would not be protected unless their antivirus was also updated, but this has since been deleted.
Google said that Android devices running the latest security update were protected including its own Nexus and Pixel phones. It said it will update the Google Chrome browser this month to protect against web-based attacks. G-suite applications like Google Drive are protected along with its cloud services.
Apple has not commented on the matter. It is unclear whether updates sent out in December included patches.
In the meantime, make sure that you using malware protection and good security standards to make sure you do not visit untrustworthy sites or click on strange links or emails.
Why have we found out now?
Meltdown was discovered by Jann Horn, from Google Project Zero, Werner Hass, Thomas Prescher, from Cyberus Technology and Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz of Graz University of Technology. After disclosing the bug to Intel through their bug bounty programme, they were given a wait time until they could publish their findings, so Intel could try and patch the problem.
Sceptre was discovered by Jann Horn, Paul Kocher with Daniel Genkin from University of Pennsylvania, Mike Hamburg of University of Maryland, Moritz Lipp from Graz University of Technology and Yuval Yarom from University of Adelaide and Data61.
Intel said it expected the findings would be published in a weeks’ time, but after a report in The Register on Wednesday morning, they were forced to go public - even though some operating systems and servers were not patched.