This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw
The article has changed 10 times. There is an RSS feed of changes available.
| Version 5 | Version 6 |
|---|---|
| Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers | Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers |
| (4 months later) | |
| Serious security flaws that could let attackers steal sensitive data, including passwords and banking information, have been found in processors designed by Intel, AMD and ARM. | Serious security flaws that could let attackers steal sensitive data, including passwords and banking information, have been found in processors designed by Intel, AMD and ARM. |
| The flaws, named Meltdown and Spectre, were discovered by security researchers at Google’s Project Zero in conjunction with academic and industry researchers from several countries. Combined they affect virtually every modern computer, including smartphones, tablets and PCs from all vendors and running almost any operating system. | The flaws, named Meltdown and Spectre, were discovered by security researchers at Google’s Project Zero in conjunction with academic and industry researchers from several countries. Combined they affect virtually every modern computer, including smartphones, tablets and PCs from all vendors and running almost any operating system. |
| Meltdown is “probably one of the worst CPU bugs ever found”, said Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw. | Meltdown is “probably one of the worst CPU bugs ever found”, said Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw. |
| Users can do little to avoid the security flaws apart from update their computers with the latest security fixes as soon as possible. Fixes for Linux and Windows are already available. Chromebooks updated to Chrome OS 63, which started rolling out in mid-December, are already protected. | Users can do little to avoid the security flaws apart from update their computers with the latest security fixes as soon as possible. Fixes for Linux and Windows are already available. Chromebooks updated to Chrome OS 63, which started rolling out in mid-December, are already protected. |
| Android devices running the latest security update, including Google’s Nexus and Pixel smartphones, are already protected. Updates are expected to be delivered soon. Users of other devices will have to wait for the updates to be pushed out by third-party manufacturers, including Samsung, Huawei and OnePlus. | Android devices running the latest security update, including Google’s Nexus and Pixel smartphones, are already protected. Updates are expected to be delivered soon. Users of other devices will have to wait for the updates to be pushed out by third-party manufacturers, including Samsung, Huawei and OnePlus. |
| An update from Apple on what is needed for its Mac computers and iOS devices is expected. | An update from Apple on what is needed for its Mac computers and iOS devices is expected. |
| Meltdown is currently thought to primarily affect Intel processors manufactured since 1995, excluding the company’s Itanium server chips and Atom processors before 2013. It could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory. Meltdown, therefore, requires a change to the way the operating system handles memory to fix, which initial speed estimates predict could affect the speed of the machine in certain tasks by as much as 30%. | Meltdown is currently thought to primarily affect Intel processors manufactured since 1995, excluding the company’s Itanium server chips and Atom processors before 2013. It could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory. Meltdown, therefore, requires a change to the way the operating system handles memory to fix, which initial speed estimates predict could affect the speed of the machine in certain tasks by as much as 30%. |
| The Spectre flaw affects most modern processors made by a variety of manufacturers, including Intel, AMD and those designed by ARM, and potentially allows hackers to trick otherwise error-free applications into giving up secret information. Spectre is harder for hackers to take advantage of but is also harder to fix and would be a bigger problem in the long term, according to Gruss. | The Spectre flaw affects most modern processors made by a variety of manufacturers, including Intel, AMD and those designed by ARM, and potentially allows hackers to trick otherwise error-free applications into giving up secret information. Spectre is harder for hackers to take advantage of but is also harder to fix and would be a bigger problem in the long term, according to Gruss. |
| Intel and ARM insisted that the issue was not a design flaw, although it will require users to download a patch and update their operating system to fix. | Intel and ARM insisted that the issue was not a design flaw, although it will require users to download a patch and update their operating system to fix. |
| “Intel has begun providing software and firmware updates to mitigate these exploits,” Intel said in a statement, denying that fixes would slow down computers based on the company’s chips. “Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.” | “Intel has begun providing software and firmware updates to mitigate these exploits,” Intel said in a statement, denying that fixes would slow down computers based on the company’s chips. “Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.” |
| Google said it informed the affected companies about the Spectre flaw on 1 June 2017 and later reported the Meltdown flaw before 28 July 2017. Both Intel and Google said they were planning to release details of the flaws on 9 January, when they said more fixes would be available, but that their hand had been forced after early reports led to Intel stock falling by 3.4% on Wednesday. | Google said it informed the affected companies about the Spectre flaw on 1 June 2017 and later reported the Meltdown flaw before 28 July 2017. Both Intel and Google said they were planning to release details of the flaws on 9 January, when they said more fixes would be available, but that their hand had been forced after early reports led to Intel stock falling by 3.4% on Wednesday. |
| Google and the security researchers it worked with said it was not known whether hackers had already exploited Meltdown or Spectre and that detecting such intrusions would be very difficult as it would not leave any traces in log files. | Google and the security researchers it worked with said it was not known whether hackers had already exploited Meltdown or Spectre and that detecting such intrusions would be very difficult as it would not leave any traces in log files. |
| Dan Guido, chief executive of cybersecurity consulting firm Trail of Bits, said that he expects hackers will quickly develop code they can use to launch attacks exploiting the vulnerabilities. He said: “Exploits for these bugs will be added to hackers’ standard toolkits.” | Dan Guido, chief executive of cybersecurity consulting firm Trail of Bits, said that he expects hackers will quickly develop code they can use to launch attacks exploiting the vulnerabilities. He said: “Exploits for these bugs will be added to hackers’ standard toolkits.” |
| Researchers said Apple and Microsoft had patches ready for users for desktop computers affected by Meltdown, while a patch is also available for Linux. Microsoft said it was in the process of patching its cloud services and had released security updates on 3 January for Windows customers. | Researchers said Apple and Microsoft had patches ready for users for desktop computers affected by Meltdown, while a patch is also available for Linux. Microsoft said it was in the process of patching its cloud services and had released security updates on 3 January for Windows customers. |
| “All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” said Apple in a blog post, in reference to the fact that although the security flaws make it possible to steal data using malicious software, there was no evidence to suggest that this had happened. | “All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” said Apple in a blog post, in reference to the fact that although the security flaws make it possible to steal data using malicious software, there was no evidence to suggest that this had happened. |
| The company advised customers to update their devices’ operating systems and only download software from “trusted sources such as the App Store”. | The company advised customers to update their devices’ operating systems and only download software from “trusted sources such as the App Store”. |
| Google said that Android devices running the latest security updates were protected, including its own Nexus and Pixel devices, and that users of Chromebooks would have to install updates. | Google said that Android devices running the latest security updates were protected, including its own Nexus and Pixel devices, and that users of Chromebooks would have to install updates. |
| ARM said that patches had already been shared with the companies’ partners. | ARM said that patches had already been shared with the companies’ partners. |
| AMD said it believes there “is near zero risk to AMD products at this time.” | AMD said it believes there “is near zero risk to AMD products at this time.” |
| Cloud services are also affected by the security problems. Google said it updated its G Suite and cloud services, but that some additional customer action may be needed for its Compute Engine and some other Cloud Platform systems. | Cloud services are also affected by the security problems. Google said it updated its G Suite and cloud services, but that some additional customer action may be needed for its Compute Engine and some other Cloud Platform systems. |
| Amazon said all but a “small single-digit percentage” of its Amazon Web Services EC2 systems were already protected, but that “customers must also patch their instance operating systems” to be fully protected. | Amazon said all but a “small single-digit percentage” of its Amazon Web Services EC2 systems were already protected, but that “customers must also patch their instance operating systems” to be fully protected. |
| It was not immediately clear whether Intel would face any significant financial liability arising from the reported flaw. | It was not immediately clear whether Intel would face any significant financial liability arising from the reported flaw. |
| “The current Intel problem, if true, would likely not require CPU replacement in our opinion. However the situation is fluid,” Hans Mosesmann of Rosenblatt Securities in New York said in a note, adding it could hurt the company’s reputation. | “The current Intel problem, if true, would likely not require CPU replacement in our opinion. However the situation is fluid,” Hans Mosesmann of Rosenblatt Securities in New York said in a note, adding it could hurt the company’s reputation. |
| WannaCry, Petya, NotPetya: how ransomware hit the big time in 2017 | WannaCry, Petya, NotPetya: how ransomware hit the big time in 2017 |
| This article contains affiliate links, which means we may earn a small commission if a reader clicks through and makes a purchase. All our journalism is independent and is in no way influenced by any advertiser or commercial initiative. The links are powered by Skimlinks. By clicking on an affiliate link, you accept that Skimlinks cookies will be set. More information. | |
| Data and computer security | Data and computer security |
| Computing | Computing |
| Intel | Intel |
| ARM | ARM |
| Smartphones | Smartphones |
| Tablet computers | Tablet computers |
| news | news |
| Share on Facebook | Share on Facebook |
| Share on Twitter | Share on Twitter |
| Share via Email | Share via Email |
| Share on LinkedIn | Share on LinkedIn |
| Share on Pinterest | Share on Pinterest |
| Share on Google+ | Share on Google+ |
| Share on WhatsApp | Share on WhatsApp |
| Share on Messenger | Share on Messenger |
| Reuse this content | Reuse this content |