A major flaw in computer chips has left almost every device on the planet vulnerable to attack, Google’s Project Zero team revealed Thursday.
Flaws in processor design — dating back to 1995 — could allow hackers to access highly sensitive data stored on the system’s memory including passwords and encryption keys.
“Probably one of the worst CPU bugs ever found,” Daniel Gruss, one of the researchers who discovered Meltdown, told Reuters.
Companies like Microsoft, Apple, Google and Amazon are scrambling to create fixes, but analysts say the updated software could impact processor speeds by as much as 30 percent.
What is the flaw?
Two separate threats have been uncovered. Meltdown impacts only Intel chips, and while there are no reports of attacks, researchers have shown it can be easily exploited:
The Spectre vulnerability impacts Intel and AMD chips, as well as those designed using ARM’s architecture — which essentially means every smartphone and tablet currently in use.
Experts say the Spectre flaw is much harder to exploit, but it is also almost impossible to mitigate.
Everyone. If you own a PC, laptop, smartphone or tablet then attackers could potentially access all the sensitive data on your device.
However, devices using Intel chips (80 percent of the desktop PCs and 90 percent of laptops sold today) are most at risk, given how easy it is to exploit the Meltdown flaw.
Should I be worried?
Yes and no.
Security researchers think it is unlikely that attackers will use these flaws to target individual computers, given the cost would outweigh the likely gain.
However, attackers could target services hosted on shared servers, such as Amazon and Google’s cloud services.
Many bitcoin exchanges use cloud servers, and given the rapid price hike in the digital coin in the last 12 months, these could become targets.
“Meltdown could have devastating consequences for cloud providers,” Craig Young, security researcher with Tripwire, told VICE News, as it “could enable attacks between customers.”
Where’s the fix?
Microsoft began rolling out updates on Thursday for Windows 10, Windows 8 and its Azure cloud platform.
Google says it has released updates to Android and Chrome OS, but it will be up to smartphone and laptop manufacturers to push these to end users.
Apple has yet to comment on the situation.
Amazon says it has patched all of its servers.
However, these patches are a short-term fix. Longer term, the vulnerabilities will require Intel, AMD and ARM to completely change their chip designs to prevent future attacks.