A set of newly discovered vulnerabilities in computers have put most devices made in the last two decades at risk and will “haunt us for quite some time”, as tech giants scramble to issue patches.
Users have been advised to update all devices are soon as possible to protect from the flaw, which leaves stored passwords, photos and messages at risk.
The Meltdown and Spectre “bugs” in modern computer processors were revealed by teams of researchers. The bugs can be found in Intel chips, which are used in most of the world’s PCs, as well as ARM chips, which are used in smartphones.
The vulnerabilities potentially allow a hacker to compromise the memory of a processor by exploiting simultaneously run apps, and access passwords, private photographs, messages and emails.
The vulnerabilities can be found in nearly all computer devices made in the last 20 years, including desktop computers, smartphones and laptops.
The flaw has existed for nearly two decades but has only recently been exposed, and it’s not yet known if it has been exploited by malicious parties.
Dr Yuval Yarom, from the University of Adelaide’s School of Computer Science and Data61, was part of the international team that discovered the security flaw and said it puts computers, smartphones and items stored on the cloud at risk.
“This is a significant discovery because both Meltdown and Spectre exploit critical vulnerabilities in modern processors, which are the main part of our computers,” Yarom said.
“These bugs in the hardware can enable hackers using malicious programs to steal sensitive data which is currently processed on the computer. Such programs can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
“They do this because the processor leaves behind traces of the information that it’s processing, and these traces could lead a hacker to discover important information.”
The vulnerabilities give hackers the ability to “take advantage of the ability to extract information from instructions that have executed on a CPU using the CPU cache as a side-channel”, the researchers said.
The Meltdown flaw is found in the out-of-order execution capabilities found in modern processors, while Spectre focuses on a CPU’s branch prediction capabilities.
Both provide ways for hackers to potentially access sensitive data that is currently being processed on the computer through other running programs, such as passwords being stored in a password manager or browser.
Apple has confirmed that all of its devices running iOS and macOS were impacted by the vulnerabilities.
“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store,” Apple said in a statement.
The impacted tech giants were tipped off about the flaws earlier, and were given until this 9 January to get the fixes ready. But details of the announcement were revealed ahead of schedule, with the researchers pushing the report out ahead of schedule.
The Meltdown flaw is relatively simple to fix, and tech giants including Apple, Amazon, Android, Google and Microsoft have already deployed patches for most of their devices. Users are recommended to install these updates as soon as possible.
While the Spectre vulnerability is more difficult to exploit, it’s also much harder to protect, meaning it may “haunt us for quite some time”, the researchers said.
Microsoft has now also issued patches for most of its devices, but has confirmed that these may impact the performance of the computers. In a blog post, Microsoft Windows and Devices Group executive vice president Terry Myerson said there may be “significant slowdowns” for devices running Windows 10 on pre-2015 chips.
“A new exploit like this requires our entire industry to work together to find the best possible solutions for our customers,” Myerson said.
“The security of the systems our customers depend upon and enjoy is a top priority for us.”
Intel CEO Brian Krzanich addressed the issue during his keynote address at the CES tech conference this week, saying that updates will be issued for 90 per cent of its products within a week.
“As of now, we have not received any information that these exploits have been used to obtain customer data,” Krzanich said.
“We’re working tirelessly on these issues to ensure it stays that way.”