Two massive technological security flaws revealed themselves recently that affect almost every modern computer, including cellphones. According to a Reuters report, security researchers recently found a set of flaws that leaves computers vulnerable to hacking. Here’s what we know.
1. Computers containing these chips are vulnerable
The bug affects computers containing chips from Intel Corp, Advanced Micro Devices, Inc., and Arm Holdings. One of the bugs affects Intel specifically, but another affects laptops, desktop computers, smartphones, tablets, and internet servers equally, as well as Apple TVs and Apple watches, according to Variety. Intel and Arm said that the issue does not represent a design flaw, but it will require users to download a patch and update their operating system.
The first, called Meltdown, affects Intel chips. It lets hackers bypass the hardware barrier between applications run by users and the computer’s memory. That means hackers could potentially read a computer’s memory and steal passwords. The second, called Spectre, affects chips from Intel, AMD, and Arm. It could allow hackers to trick applications into giving up information.
Next: How might the bugs affect your computers?
2. The impact on devices varies
“Phones, PCs, everything are going to have some impact, but it’ll vary from product to product,” Intel CEO Brian Krzanich told CNBC.
Google said in a blog post that Android phones running the latest security updates remain protected. Nexus and Pixel phones with the latest security updates should stay safe as well. Gmail users do not need to take any additional action to protect themselves, but users of Chromebooks, the Chrome web browser and many Google Cloud services will need to install updates.
Next: Apple also spoke out about the effects.
3. All devices and computing systems are impacted
Apple also responded in a blog post. “All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.” The company added that iPhone and Mac users should only download apps and software from trusted sources and that while Apple Watch and TV can also be affected, they have not seen any hacks to those devices. Apple said it also plans on releasing an update to Safari to protect customers.
Daniel Gruss, a researcher who helped discover Meltdown, told Reuters he considers it “probably one of the worst CPU bugs ever found.”
Next: Here’s how the big got discovered.
4. The issue existed for decades before discovery
“As far as I can tell it’s a crazy coincidence,” said Paul Kocher, a security researcher and one of the two people who independently reported Spectre. “The two threads have no commonality,” he added. “There’s no reason someone couldn’t have found this years ago instead of today.”
Some wonder whether the NSA or other state-sponsored intelligence agencies really did find the flaw earlier than we think. Wired pointed out that, if the flaw yielded intelligence the government wanted, it would have been in its best interest not to share that with the public.
Next: Did the NSA know about Spectre and Meltdown?
5. If the government did know, it didn’t use the flaws
White House cybersecurity coordinator Rob Joyce, a former senior NSA official, told the Washington Post that the NSA did not know about Spectre and Meltdown and had never exploited them. Joyce also noted the Vulnerabilities Equities Process, or the NSA’s rules for disclosing any vulnerabilities. Instead, researchers suggested that multiple people discovered the bugs because a lot of coders focused on the same area, and therefore saw the same things.
Next: Why did we not know about this until now?
6. The companies withheld information for this reason
Affected companies have known about Spectre and Meltdown for awhile now, but kept quiet for a very good reason. According to CBS, companies withhold details about security issues until fixes become available. That prevents hackers from having a roadmap to exploit those flaws before proper securities are in place. Some of those fixes can affect device performance. Intel’s fix, for example, may slow down some devices’ performance by 30% or more. Most users won’t see that kind of a slowdown. Steve Smith, head of Intel’s data center engineering, said most will see less than a 2% impact.
Next: These patches represent just one step toward solving the problem.
7. We can’t fix the issue entirely with patches
According to the U.S Computer Emergency Readiness Team, “fully removing the vulnerability” requires replacing hardware already embedded in computing devices. That said, the patches do make a good step for most consumers. “If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don’t have to worry,” security researcher Rob Graham said. “If you aren’t up to date, then there’s a lot of other nasties out there you should probably also be worrying about.”
Follow The Cheat Sheet on Facebook!